CVE-2025-68945 - OpenCVE

In Gitea before 1.21.2, an anonymous user can visit a private user's project.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Gitea	Gitea

No data.

No data.

References

Link	Providers
https://blog.gitea.com/release-of-1.21.2/
https://github.com/go-gitea/gitea/pull/28423
https://github.com/go-gitea/gitea/releases/tag/v1.21.2
https://nvd.nist.gov/vuln/detail/CVE-2025-68945
https://www.cve.org/CVERecord?id=CVE-2025-68945

History

Sat, 27 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
Title		gitea: Gitea: Information disclosure via anonymous access to private user projects
References		https://nvd.nist.gov/vuln/detail/CVE-2025-68945 https://www.cve.org/CVERecord?id=CVE-2025-68945
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 26 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Dec 2025 04:15:00 +0000

Type	Values Removed	Values Added
Description		In Gitea before 1.21.2, an anonymous user can visit a private user's project.
First Time appeared		Gitea Gitea gitea
Weaknesses		CWE-359
CPEs		cpe:2.3:a:gitea:gitea::::::::
Vendors & Products		Gitea Gitea gitea
References		https://blog.gitea.com/release-of-1.21.2/ https://github.com/go-gitea/gitea/pull/28423 https://github.com/go-gitea/gitea/releases/tag/v1.21.2
Metrics		cvssV3_1 `{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-12-26T03:58:46.724Z

Updated: 2025-12-26T18:59:29.985Z

Reserved: 2025-12-26T03:58:46.374Z

Link: CVE-2025-68945

Vulnrichment

Updated: 2025-12-26T14:49:17.801Z

NVD

Status : Received

Published: 2025-12-26T04:15:41.507

Modified: 2025-12-26T04:15:41.507

Link: CVE-2025-68945

Redhat

Severity : Moderate

Publid Date: 2025-12-26T03:58:46Z

Links: CVE-2025-68945 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-68945", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-12-26T03:58:46.374Z", "datePublished": "2025-12-26T03:58:46.724Z", "dateUpdated": "2025-12-26T18:59:29.985Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:golang/code.gitea.io/gitea", "product": "Gitea", "vendor": "Gitea", "versions": [{"lessThan": "1.21.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.21.2"}]}]}], "descriptions": [{"lang": "en", "value": "In Gitea before 1.21.2, an anonymous user can visit a private user's project."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:59:29.985Z"}, "references": [{"url": "https://blog.gitea.com/release-of-1.21.2/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.2"}, {"url": "https://github.com/go-gitea/gitea/pull/28423"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-26T14:49:16.693875Z", "id": "CVE-2025-68945", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T14:50:50.723Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68945", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-26T14:49:16.693875Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T14:49:17.801Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gitea", "product": "Gitea", "versions": [{"status": "affected", "version": "0", "lessThan": "1.21.2", "versionType": "semver"}], "packageURL": "pkg:golang/code.gitea.io/gitea", "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.gitea.com/release-of-1.21.2/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.2"}, {"url": "https://github.com/go-gitea/gitea/pull/28423"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In Gitea before 1.21.2, an anonymous user can visit a private user's project."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.21.2"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:59:29.985Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68945", "state": "PUBLISHED", "dateUpdated": "2025-12-26T18:59:29.985Z", "dateReserved": "2025-12-26T03:58:46.374Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-12-26T03:58:46.724Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"bugzilla": {"description": "gitea: Gitea: Information disclosure via anonymous access to private user projects", "id": "2425474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425474"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-359", "details": ["A flaw was found in Gitea. An anonymous user can exploit this vulnerability by visiting a private user's project, leading to unauthorized information disclosure. This allows an attacker to view details of projects that should remain private."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-68945", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2025-12-26T03:58:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68945\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68945\nhttps://blog.gitea.com/release-of-1.21.2/\nhttps://github.com/go-gitea/gitea/pull/28423\nhttps://github.com/go-gitea/gitea/releases/tag/v1.21.2"], "statement": "This vulnerability is rated Moderate. In the Red Hat context, impact is limited as the vulnerable code is not present in Red Hat OpenShift Pipelines components.", "threat_severity": "Moderate"}