Is CVE-2022-38183 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 1%.

What products does CVE-2022-38183 affect?

Tracked products affected include Gitea. Check the version you run to see whether it is affected.

How do I fix CVE-2022-38183?

Apply the vendor fix in your normal patch cycle. Upgrade affected products to a fixed version.

CVE-2022-38183

Q: What is CVE-2022-38183?

CVE-2022-38183 is a medium-severity software vulnerability (Missing authorization) with a CVSS score of 6.5. In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a r

MEDIUM severity · CVSS 6.5 · Missing authorization

6.5CVSS MEDIUM

Summary

In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)1%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products we track (1)

Gitea

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://blog.gitea.io/2022/07/gitea-1.16.9-is-released/Advisory
https://herolab.usd.de/security-advisories/usd-2022-0015/
https://security.gentoo.org/glsa/202210-14Advisory