Описание
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
A flaw was found in Gitea, a self-hosted Git service. This vulnerability allows an authenticated user to bypass access controls within its package registries. This occurs because the system improperly handles the propagation of token scope, which defines what actions a token is allowed to perform. As a result, an attacker could potentially make unauthorized changes to data or resources in the package registries.
Отчет
This vulnerability is rated Moderate for Red Hat. An authenticated user could bypass access controls within Gitea's package registries due to improper token scope propagation. This affects OpenShift Pipelines versions 1.16 and 1.17. OpenShift Pipelines versions 1.18, 1.19, and 1.20 are not affected as the vulnerable code is not present.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8 | Out of support scope | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8 | Out of support scope | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8 | Out of support scope | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8 | Out of support scope | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS3
Связанные уязвимости
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
Gitea before 1.22.2 sometimes mishandles the propagation of token scop ...
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries
EPSS
5 Medium
CVSS3