CVE-2023-49946

Sažetak

In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.

Reference

https://about.gitea.com/security
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md
https://forgejo.org/2023-11-release-v1-20-5-1/
https://github.com/gogs/gogs/security

CVSS

Base:	9.1
Impact:	5.2
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Zadnje važnije ažuriranje

07-12-2023 - 14:52

Objavljeno

03-12-2023 - 19:15