x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2019-1000002

[tatianab]

CVE-2019-1000002 references github.com/go-gitea/gitea, which may be a Go module.

Description:
Gitea version 1.6.2 and earlier contains a Incorrect Access Control vulnerability in Delete/Edit file functionallity that can result in the attacker deleting files outside the repository he/she has access to. This attack appears to be exploitable via the attacker must get write access to "any" repository including self-created ones.. This vulnerability appears to have been fixed in 1.6.3, 1.7.0-rc2.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-1000002
• fix: SECURITY: prevent DeleteFilePost doing arbitrary deletion go-gitea/gitea#5631
• Imported by: https://pkg.go.dev/github.com/go-gitea/gitea?tab=importedby

Cross references:

• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45325 #308 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45326 #309 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45327 #310 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45329 #314 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-45331 #315 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2021-29134 #353 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-27313 #442 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-30781 #450 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-36h2-95gj-w488 #579 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea/models: GHSA-f5fj-7265-jxhj #823 NOT_IMPORTABLE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: GHSA-g2qx-6ghw-67hm #830 NOT_IMPORTABLE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea/models: GHSA-hpmr-prr2-cqc4 #846 NOT_IMPORTABLE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea/models: GHSA-q47x-6mqq-4w92 #862 NOT_IMPORTABLE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-42968 #1065 EFFECTIVELY_PRIVATE
• Module github.com/go-gitea/gitea appears in issue x/vulndb: potential Go vuln in github.com/go-gitea/gitea: CVE-2022-38795 #1999 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/go-gitea/gitea
      vulnerable_at: 1.20.5
      packages:
        - package: n/a
cves:
    - CVE-2019-1000002
references:
    - fix: https://github.com/go-gitea/gitea/pull/5631

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports