Описание
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
An access control flaw has been discovered in Gitea. Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Pipelines | openshift-pipelines/pipelines-opc-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Gitea does not properly validate repository ownership when linking att ...
Gitea does not properly validate repository ownership when linking attachments to releases
EPSS
9.1 Critical
CVSS3