#VU31190 Information disclosure in Gitea - CVE-2018-1000803
Published: October 8, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31190
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-1000803
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Gitea
Gitea
Software vendor:
The Gitea Authors
The Gitea Authors
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability that can result in Exposure of users private email addresses. This attack appear to be exploitable via Watch a repository to receive email notifications. Emails received contain the other recipients even if they have the email set as private. This vulnerability appears to have been fixed in 1.5.1.
Remediation
Install update from vendor's website.