CVE-2025-68944

EPSS 0.25%
Veröffentlicht 26.12.2025 03:37:28
Zuletzt bearbeitet 31.12.2025 22:30:32
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gitea ≫ Gitea SwPlatform- Version < 1.22.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.164

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cve@mitre.org	5	3.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

https://blog.gitea.com/release-of-1.22.2/

Release Notes

https://github.com/go-gitea/gitea/releases/tag/v1.22.2

Release Notes

https://github.com/go-gitea/gitea/pull/31967

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-68944

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68944

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68944

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68944