Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-68939

Опубликовано: 26 дек. 2025
Источник: redhat
CVSS3: 8.2
EPSS Низкий

Описание

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

A flaw was found in Gitea. An attacker can exploit this issue by editing an attachment name via the attachment API, allowing attachments with forbidden file extensions to be added, bypassing security controls and potentially resulting in unauthorized data modification or execution of malicious content.

Отчет

While this issue allows a forbidden file to exist in the server, it does not automatically execute it. An attack depends on how the underlying server is configured, such as the availability of script interpreters or directories with execute permissions, limiting the likelihood of a successful exploitation. Additionally, an attacker must convince a user to click, download or open the renamed attachment, limiting the impact of this issue. Due to these reasons, this flaw has been rated with an important severity.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel8Will not fix
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel9Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel8Will not fix
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel9Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8Will not fix
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8Will not fix
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-424
https://bugzilla.redhat.com/show_bug.cgi?id=2425460gitea: attachments can be renamed to forbidden file extensions via the attachment API

EPSS

Процентиль: 2%
0.00013
Низкий

8.2 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-68939

CVSS3: 8.2
ubuntu
3 месяца назад

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

nvd логотип

CVE-2025-68939

CVSS3: 8.2
nvd
3 месяца назад

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

debian логотип

CVE-2025-68939

CVSS3: 8.2
debian
3 месяца назад

Gitea before 1.23.0 allows attackers to add attachments with forbidden ...

redos логотип

ROS-20260224-73-0036

CVSS3: 5.3
redos
около 1 месяца назад

Уязвимость gitea

github логотип

GHSA-263q-5cv3-xq9g

CVSS3: 8.2
github
3 месяца назад

Gitea allows attackers to add attachments with forbidden file extensions

EPSS

Процентиль: 2%
0.00013
Низкий

8.2 High

CVSS3