Package gitea updated to version 1.16.9-alt1 for branch sisyphus in task 304434.

Published: 2022-05-29
Modified: 2024-11-21

CVE-2022-1928

Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.

Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c
https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c
https://huntr.dev/bounties/6336ec42-5c4d-4f61-ae38-2bb539f433d2
https://huntr.dev/bounties/6336ec42-5c4d-4f61-ae38-2bb539f433d2
GLSA-202210-14
GLSA-202210-14

Published: 2022-08-12
Modified: 2024-11-21

CVE-2022-38183

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
https://herolab.usd.de/security-advisories/usd-2022-0015/
GLSA-202210-14
https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/
GLSA-202210-14
https://herolab.usd.de/security-advisories/usd-2022-0015/

Version: 2.1.0

Package gitea update in sisyphus on 2022-07-28

ALT-PU-2022-2311-1

Closed vulnerabilities

CVE-2022-1928

CVE-2022-38183