-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| code.gitea.io/gitea | go | < 1.21.2 | 1.21.2 |
Miggo AIRoot Cause AnalysisThe vulnerability allows an anonymous user to access a private user's projects and other information through both the web interface and the API. The root cause is a missing access control check when retrieving user information based on a username from the URL.
The analysis of the patches shows fixes in three main areas:
context.userAssignment: This function is responsible for fetching a user's profile and placing it in the request context. Commit c340e879165f32e91e2317d5dd1707b9f3b5ae0b shows that this function initially lacked any checks for the user's visibility settings (private or limited). It would provide a private user's data to any caller, including anonymous ones. This is a core information leak.web.registerRoutes: This function, which sets up the web UI routes, was missing a security middleware on routes like /{username}/-/projects. Commits 196fcc104e6e9fc78058f1d46e7f94cb45a91ffe and 53bb6ab92a3f0d51b7e870a05adab524914b6117 add this missing check. The vulnerability is this misconfiguration, which allows handlers like repo.Projects to be reached by unauthorized users.api.Routes: Similarly, the function that registers the API v1 routes was also missing the permission check for user-related endpoints. Commit 4e7df1d2bfadb2692d4f150c71c5401438f46907 adds the necessary middleware to secure these API endpoints.While the final implementation of the fix uses middleware at the routing layer, the initial, more direct patch to context.userAssignment clearly indicates it as a fundamental source of the vulnerability. Therefore, all three functions are identified as vulnerable components that, together, created the security flaw.
context.userAssignmentservices/context/user.go
web.registerRoutesrouters/web/web.go
api.Routesrouters/api/v1/api.go