{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-68941", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-12-26T02:31:58.775Z", "datePublished": "2025-12-26T02:31:59.031Z", "dateUpdated": "2025-12-26T19:31:33.303Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:golang/code.gitea.io/gitea", "product": "Gitea", "vendor": "Gitea", "versions": [{"lessThan": "1.22.3", "status": "affected", "version": "0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.22.3"}]}]}], "descriptions": [{"lang": "en", "value": "Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:58:12.663Z"}, "references": [{"url": "https://blog.gitea.com/release-of-1.22.3/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.3"}, {"url": "https://github.com/go-gitea/gitea/pull/32218"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-26T19:31:26.862350Z", "id": "CVE-2025-68941", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T19:31:33.303Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68941", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-26T19:31:26.862350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-26T19:31:30.258Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gitea", "product": "Gitea", "versions": [{"status": "affected", "version": "0", "lessThan": "1.22.3", "versionType": "semver"}], "packageURL": "pkg:golang/code.gitea.io/gitea", "defaultStatus": "unaffected"}], "references": [{"url": "https://blog.gitea.com/release-of-1.22.3/"}, {"url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.3"}, {"url": "https://github.com/go-gitea/gitea/pull/32218"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.22.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-26T18:58:12.663Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68941", "state": "PUBLISHED", "dateUpdated": "2025-12-26T19:31:33.303Z", "dateReserved": "2025-12-26T02:31:58.775Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-12-26T02:31:59.031Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:-:*:*", "matchCriteriaId": "3F93D132-969F-47BD-A092-6FDA641369BA", "versionEndExcluding": "1.22.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources."}], "id": "CVE-2025-68941", "lastModified": "2026-01-02T19:33:13.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-26T03:15:50.967", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://blog.gitea.com/release-of-1.22.3/"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/go-gitea/gitea/pull/32218"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "gitea: Gitea: Unauthorized access to private resources via public-scoped API tokens", "id": "2425457", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425457"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-863", "details": ["A flaw was found in Gitea. An attacker with an API token intended for public resources could exploit this vulnerability to gain unauthorized access to private resources. This misconfiguration allows for a bypass of access controls, potentially leading to information disclosure from private repositories or other sensitive data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-68941", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Out of support scope", "package_name": "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel9", "product_name": "OpenShift Pipelines"}], "public_date": "2025-12-26T02:31:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68941\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68941\nhttps://blog.gitea.com/release-of-1.22.3/\nhttps://github.com/go-gitea/gitea/pull/32218\nhttps://github.com/go-gitea/gitea/releases/tag/v1.22.3"], "statement": "This vulnerability is rated Moderate for Red Hat OpenShift Pipelines. An attacker with a public-scoped API token could gain unauthorized access to private resources due to a misconfiguration in Gitea. This affects OpenShift Pipelines in update streams 1.16, 1.17, and 1.18. OpenShift Pipelines in update streams 1.19 and 1.20 are not affected as the vulnerable code is not present.", "threat_severity": "Moderate"}

{}