Gitea Repository Attachment Link Vulnerability Allowing Unauthorized Access

A vulnerability exists in Gitea's handling of repository attachments linked to releases. The application fails to properly verify repository ownership, which can lead to unauthorized access. An attachment uploaded to a private repository might be incorrectly associated with a release in a public repository, making it available to unauthorized users. This issue affects Gitea versions 1.25.0 through 1.25.3.

Impact

Exploitation of this vulnerability could result in unauthorized access to private attachments, allowing them to be viewed or downloaded by users who should not have access.

Reproduction

To reproduce this vulnerability, upload an attachment to a private repository. Then, link that attachment to a release in a public repository. The attachment will be accessible to unauthorized users, demonstrating the lack of proper ownership validation.

Remediation

Users can upgrade to Gitea version 1.25.4, which addresses this vulnerability by ensuring that release attachments are correctly linked to the intended repository. Instructions for downloading Gitea 1.25.4 are available on the Gitea releases page.