Description
Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.
Problem types
Product status
Any version
Credits
DevNoScope
References
github.com/.../gitea/security/advisories/GHSA-8qw8-rq86-9pc2 (GitHub Security Advisory)
github.com/go-gitea/gitea/pull/37610 (GitHub Pull Request #37610)
github.com/go-gitea/gitea/releases/tag/v1.26.2 (Gitea v1.26.2 Release)
blog.gitea.com/release-of-1.26.2/ (Gitea v1.26.2 Release Blog Post)