Gitea Authorization Vulnerability in Release Deletion

An authorization vulnerability has been identified in Gitea versions prior to 1.25.2, which improperly manages permissions for deleting releases. This issue could allow users to delete releases without the necessary authorization.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of release tags, potentially causing confusion or disruption in project versioning and release management.

Reproduction

The vulnerability can be reproduced by attempting to delete a release tag without the appropriate permissions. In Gitea, this can be done by a user who does not have write access to the repository. The deletion request can be made through the API or the web interface, depending on the user's access rights.

Remediation

Users are advised to upgrade to Gitea version 1.25.2, which addresses this vulnerability by implementing proper permission checks for release deletion. Instructions for upgrading can be found in the Gitea documentation.