{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-68944", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-12-26T03:37:28.412Z", "datePublished": "2025-12-26T03:37:28.693Z", "dateUpdated": "2025-12-26T19:28:23.900Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:golang/code.gitea.io/gitea", "product": "Gitea", "vendor": "Gitea", "versions": [{"lessThan": "1.22.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.22.2"}]}]}], "descriptions": [{"lang": "en", "value": "Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-441", "description": "CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:59:09.375Z"}, "references": [{"url": "https://blog.gitea.com/release-of-1.22.2/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"}, {"url": "https://github.com/go-gitea/gitea/pull/31967"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-26T19:28:17.625511Z", "id": "CVE-2025-68944", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T19:28:23.900Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68944", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-26T19:28:17.625511Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T19:28:21.087Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gitea", "product": "Gitea", "versions": [{"status": "affected", "version": "0", "lessThan": "1.22.2", "versionType": "semver"}], "packageURL": "pkg:golang/code.gitea.io/gitea", "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.gitea.com/release-of-1.22.2/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"}, {"url": "https://github.com/go-gitea/gitea/pull/31967"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-441", "description": "CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.22.2"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:59:09.375Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68944", "state": "PUBLISHED", "dateUpdated": "2025-12-26T19:28:23.900Z", "dateReserved": "2025-12-26T03:37:28.412Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-12-26T03:37:28.693Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries."}], "id": "CVE-2025-68944", "lastModified": "2025-12-26T04:15:41.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-12-26T04:15:41.357", "references": [{"source": "[email protected]", "url": "https://blog.gitea.com/release-of-1.22.2/"}, {"source": "[email protected]", "url": "https://github.com/go-gitea/gitea/pull/31967"}, {"source": "[email protected]", "url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-441"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "gitea: Gitea: Access control bypass in package registries", "id": "2425466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425466"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-441", "details": ["A flaw was found in Gitea, a self-hosted Git service. This vulnerability allows an authenticated user to bypass access controls within its package registries. This occurs because the system improperly handles the propagation of token scope, which defines what actions a token is allowed to perform. As a result, an attacker could potentially make unauthorized changes to data or resources in the package registries."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-68944", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2025-12-26T03:37:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68944\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68944\nhttps://blog.gitea.com/release-of-1.22.2/\nhttps://github.com/go-gitea/gitea/pull/31967\nhttps://github.com/go-gitea/gitea/releases/tag/v1.22.2"], "statement": "This vulnerability is rated Moderate for Red Hat. An authenticated user could bypass access controls within Gitea's package registries due to improper token scope propagation. This affects OpenShift Pipelines versions 1.16 and 1.17. OpenShift Pipelines versions 1.18, 1.19, and 1.20 are not affected as the vulnerable code is not present.", "threat_severity": "Moderate"}