-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the API endpoints responsible for editing attachments in Gitea. Specifically, the functions EditIssueAttachment, EditIssueCommentAttachment, and EditReleaseAttachment were vulnerable. These functions allowed users to change the name of an attachment. However, before the patch, these functions directly called the repo_model.UpdateAttachment function, which did not perform any validation on the new filename to ensure it complied with the configured file extension restrictions (setting.Attachment.AllowedTypes).
The patch addresses this by introducing a new function, attachment_service.UpdateAttachment. This new function acts as a wrapper around repo_model.UpdateAttachment. Before calling the database model function, it calls upload.Verify to check if the new filename has an allowed extension. The upload.Verify function itself was also updated to correctly handle cases where only the filename is provided, without the file content, which is the scenario when an attachment is renamed.
Therefore, any runtime profile during the exploitation of this vulnerability would show one of the vulnerable API handler functions (EditIssueAttachment, EditIssueCommentAttachment, or EditReleaseAttachment) in the stack trace, as they were the entry points for the malicious request.
EditIssueAttachmentrouters/api/v1/repo/issue_attachment.go
EditIssueCommentAttachmentrouters/api/v1/repo/issue_comment_attachment.go
EditReleaseAttachmentrouters/api/v1/repo/release_attachment.go
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| code.gitea.io/gitea | go | < 1.23.0 |