Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-68941

Опубликовано: 26 дек. 2025
Источник: redhat
CVSS3: 4.9
EPSS Низкий

Описание

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

A flaw was found in Gitea. An attacker with an API token intended for public resources could exploit this vulnerability to gain unauthorized access to private resources. This misconfiguration allows for a bypass of access controls, potentially leading to information disclosure from private repositories or other sensitive data.

Отчет

This vulnerability is rated Moderate for Red Hat OpenShift Pipelines. An attacker with a public-scoped API token could gain unauthorized access to private resources due to a misconfiguration in Gitea. This affects OpenShift Pipelines in update streams 1.16, 1.17, and 1.18. OpenShift Pipelines in update streams 1.19 and 1.20 are not affected as the vulnerable code is not present.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel8Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel9Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel8Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel9Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8Out of support scope
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9Out of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-863
https://bugzilla.redhat.com/show_bug.cgi?id=2425457gitea: Gitea: Unauthorized access to private resources via public-scoped API tokens

EPSS

Процентиль: 2%
0.00013
Низкий

4.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-68941

CVSS3: 4.9
ubuntu
3 месяца назад

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

nvd логотип

CVE-2025-68941

CVSS3: 4.9
nvd
3 месяца назад

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

debian логотип

CVE-2025-68941

CVSS3: 4.9
debian
3 месяца назад

Gitea before 1.22.3 mishandles access to a private resource upon recei ...

redos логотип

ROS-20260224-73-0034

CVSS3: 5.3
redos
около 1 месяца назад

Уязвимость gitea

github логотип

GHSA-xfq3-qj7j-4565

CVSS3: 4.9
github
3 месяца назад

Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources

EPSS

Процентиль: 2%
0.00013
Низкий

4.9 Medium

CVSS3