Information disclosure in Gitea
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-1000803 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Gitea Web applications / Modules and components for CMS |
| Vendor | The Gitea Authors |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU31190
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1000803
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if they have the email set as private. This vulnerability appears to have been fixed in 1.5.1.
MitigationInstall update from vendor's website.
Vulnerable software versionsGitea: 1.5.0
External linkshttp://github.com/go-gitea/gitea/pull/4664
http://github.com/go-gitea/gitea/pull/4664/files#diff-146e0c2b5bb1ea96c9fb73d509456e57
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
