Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect API access control #5764

Closed
ManassehZhou opened this issue Aug 1, 2019 · 3 comments
Closed

Incorrect API access control #5764

ManassehZhou opened this issue Aug 1, 2019 · 3 comments
Assignees
Labels
💊 bug Something isn't working priority: critical Oh damn, fix it now! 🔒 security Categorizes as related to security status: assigned to maintainer Welcome onboard

Comments

@ManassehZhou
Copy link

ManassehZhou commented Aug 1, 2019

I discovered a misconfigured access control in the newest Gogs, I think it's some kind of bug.

I have already sent more about the details in the email to u@gogs.io.

Best,
Manasseh Zhou

@unknwon

@unknwon unknwon added 💊 bug Something isn't working 🔒 security Categorizes as related to security priority: critical Oh damn, fix it now! status: assigned to maintainer Welcome onboard labels Aug 1, 2019
@unknwon unknwon self-assigned this Aug 1, 2019
@unknwon unknwon added this to the 0.12 milestone Aug 1, 2019
unknwon added a commit that referenced this issue Aug 2, 2019
Permission check not enforced for deploy keys, collaborators, and hooks.

Reported by @ManassehZhou #5764
@unknwon unknwon added the status: needs feedback Tell me more about it label Aug 2, 2019
@unknwon
Copy link
Member

unknwon commented Aug 2, 2019

Thank you again for the security report!

Patch has been pushed to develop branch and https://try.gogs.io, would you mind take time do another round of test?

unknwon added a commit that referenced this issue Aug 2, 2019
@unknwon unknwon changed the title Incorrect access control Incorrect API access control Aug 2, 2019
@ManassehZhou
Copy link
Author

LGTM

@unknwon unknwon removed the status: needs feedback Tell me more about it label Aug 2, 2019
@unknwon unknwon closed this as completed Aug 2, 2019
@ManassehZhou
Copy link
Author

CVE-2019-14544

@unknwon unknwon modified the milestones: 0.13, 0.12 Nov 26, 2019
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
💊 bug Something isn't working priority: critical Oh damn, fix it now! 🔒 security Categorizes as related to security status: assigned to maintainer Welcome onboard
Projects
None yet
Development

No branches or pull requests

2 participants