pkg:Bitnami/gitea

All known vulnerabilities

• CRITICAL9.8CVE-2020-28991Improper Access Control in Gitea
  >= 0.9.99, < 1.12.6
• CRITICAL9.8CVE-2022-42968Gitea vulnerable to Argument Injection in code.gitea.io/gitea
  from 0, < 1.17.3
• CRITICAL9.8Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea
  from 0, < 1.5.0
• CRITICAL9.8Improper Privilege Management in Gitea in code.gitea.io/gitea
  from 0, < 1.15.8
• CRITICAL9.8Capture-replay in Gitea in code.gitea.io/gitea
  from 0, < 1.11.2
• CRITICAL9.1Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure
  from 0, < 1.25.4
• CRITICAL9.1Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
  from 0, < 1.25.4
• CRITICAL9.1Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)
  from 0, < 1.25.4
• HIGH8.8Cross Site Request Forgery in Gitea in github.com/go-gitea/gitea
  from 0, < 1.5.2
• HIGH8.2Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea
  from 0, < 1.23.0
• HIGH7.5Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check
  from 0, < 1.25.4
• HIGH7.5Shell command injection in gitea in code.gitea.io/gitea
  from 0, < 1.16.7
• HIGH7.5Arbitrary file deletion in gitea in code.gitea.io/gitea
  >= 1.16.3, < 1.16.4
• HIGH7.5Denial of Service in Gitea in code.gitea.io/gitea
  from 0, < 1.11.6
• HIGH7.2Arbitrary Code Execution in Gitea
  >= 1.1.0, < 1.12.6
• HIGH7.1Missing Authorization in go-gitea/gitea
  from 0, < 1.16.4
• HIGH7.0Buffer Overflow in gitea in code.gitea.io/gitea
  >= 1.9.0, < 1.13.2
• MEDIUM6.5Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
  from 0, < 1.25.4
• MEDIUM6.5Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure
  from 0, < 1.25.4
• MEDIUM6.5Notification API Leaks Private Repository Issue Titles After Collaborator Permission Revocation
  from 0, < 1.25.4
• MEDIUM6.5Gitea erroneous repo clones in code.gitea.io/gitea
  from 0, < 1.17.2
• MEDIUM6.5Gitea allowed assignment of private issues in code.gitea.io/gitea
  from 0, < 1.16.9
• MEDIUM6.1Open Redirect on login in go-gitea/gitea
  from 0, < 1.16.5
• MEDIUM6.1Cross-site Scripting in Gitea in github.com/go-gitea/gitea
  from 0, < 1.5.1
• MEDIUM6.1Open redirect in Gitea in github.com/go-gitea/gitea
  from 0, < 1.4.3
• MEDIUM5.8Gitea: anonymous user can visit private user's project in code.gitea.io/gitea
  from 0, < 1.21.2
• MEDIUM5.4Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea
  from 0, < 1.20.1
• MEDIUM5.4Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea
  from 0, < 1.22.2
• MEDIUM5.4Cross-site Scripting in Gitea in code.gitea.io/gitea
  >= 1.12.0, < 1.12.7, >= 1.13.0, < 1.13.4
• MEDIUM5.3Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea
  from 0, < 1.25.2
• MEDIUM5.3Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea
  from 0, < 1.21.8
• MEDIUM5.3Path Traversal in Gitea in code.gitea.io/gitea
  from 0, < 1.13.6
• MEDIUM5.3Gitea displaying raw OpenID error in UI in github.com/go-gitea/gitea
  from 0, < 1.7.0
• MEDIUM5.0Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea
  from 0, < 1.22.2
• MEDIUM4.9Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea
  from 0, < 1.22.3
• MEDIUM4.4Cross-site Scripting (XSS) - Stored in go-gitea/gitea
  from 0, < 1.16.9
• MEDIUM4.3Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)
  from 0, < 1.25.4
• MEDIUM4.3Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea
  from 0, < 1.25.2
• MEDIUM4.3Jenkins Gitea Plugin vulnerable to Cleartext Transmission of Sensitive Information
  from 0, < 1.4.5
• LOW3.5Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation
  from 0, < 1.25.4
• LOW3.1Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea
  from 0, < 1.22.5
• LOW3.0Open Redirect in go-gitea/gitea
  from 0, < 1.19.4