CVE-2019-1000002: Gitea Arbitrary File Delete Vulnerability

May 13, 2022 (updated April 24, 2024)

Gitea version 1.6.2 and earlier contains a Incorrect Access Control vulnerability in Delete/Edit file functionallity that can result in the attacker deleting files outside the repository he/she has access to. This attack appears to be exploitable via the attacker must get write access to “any” repository including self-created ones. This vulnerability appears to have been fixed in 1.6.3, 1.7.0-rc2.

References

github.com/advisories/GHSA-j99q-rwp6-498g
github.com/go-gitea/gitea
github.com/go-gitea/gitea/pull/5631
nvd.nist.gov/vuln/detail/CVE-2019-1000002

Detect and mitigate CVE-2019-1000002 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →