{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-68943", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-12-26T03:19:44.968Z", "datePublished": "2025-12-26T03:19:45.242Z", "dateUpdated": "2025-12-26T19:28:57.206Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:golang/code.gitea.io/gitea", "product": "Gitea", "vendor": "Gitea", "versions": [{"lessThan": "1.21.8", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.21.8"}]}]}], "descriptions": [{"lang": "en", "value": "Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:58:55.452Z"}, "references": [{"url": "https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.8"}, {"url": "https://github.com/go-gitea/gitea/pull/29430"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-26T19:28:50.288272Z", "id": "CVE-2025-68943", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T19:28:57.206Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68943", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-26T19:28:50.288272Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T19:28:54.140Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gitea", "product": "Gitea", "versions": [{"status": "affected", "version": "0", "lessThan": "1.21.8", "versionType": "semver"}], "packageURL": "pkg:golang/code.gitea.io/gitea", "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.8"}, {"url": "https://github.com/go-gitea/gitea/pull/29430"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.21.8"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:58:55.452Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68943", "state": "PUBLISHED", "dateUpdated": "2025-12-26T19:28:57.206Z", "dateReserved": "2025-12-26T03:19:44.968Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-12-26T03:19:45.242Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order."}], "id": "CVE-2025-68943", "lastModified": "2025-12-26T04:15:41.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-12-26T04:15:41.217", "references": [{"source": "[email protected]", "url": "https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/"}, {"source": "[email protected]", "url": "https://github.com/go-gitea/gitea/pull/29430"}, {"source": "[email protected]", "url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.8"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "gitea: Gitea: Information disclosure of user login times via sort order", "id": "2425465", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425465"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-497", "details": ["A flaw was found in Gitea. This vulnerability allows for the inadvertent disclosure of users' login times. A remote attacker can exploit this by utilizing the `lastlogintime` explore/users sort order, leading to the exposure of sensitive user activity information."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-68943", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2025-12-26T03:19:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68943\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68943\nhttps://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/\nhttps://github.com/go-gitea/gitea/pull/29430\nhttps://github.com/go-gitea/gitea/releases/tag/v1.21.8"], "statement": "In the Red Hat context, in Red Hat OpenShift Pipelines components are not affected as the vulnerable code is not present.", "threat_severity": "Moderate"}