Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-20897

Опубликовано: 22 янв. 2026
Источник: redhat
CVSS3: 9.1
EPSS Низкий

Описание

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

An access control flaw has been discovered in Gitea. Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Pipelinesopenshift-pipelines/pipelines-opc-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-cli-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-controller-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Critical
Дефект:
CWE-639
https://bugzilla.redhat.com/show_bug.cgi?id=2432204gitea: Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

EPSS

Процентиль: 3%
0.00015
Низкий

9.1 Critical

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-20897

CVSS3: 9.1
nvd
2 месяца назад

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

debian логотип

CVE-2026-20897

CVSS3: 9.1
debian
2 месяца назад

Gitea does not properly validate repository ownership when deleting Gi ...

redos логотип

ROS-20260224-73-0030

CVSS3: 9.1
redos
около 1 месяца назад

Уязвимость gitea

github логотип

GHSA-393c-qgvj-3xph

github
2 месяца назад

Gitea does not properly validate repository ownership when deleting Git LFS locks

EPSS

Процентиль: 3%
0.00015
Низкий

9.1 Critical

CVSS3