Gitea < 1.26.2 allows unauthenticated remote attackers to pull private container images.The /v2/token endpoint grants anonymous ghost tokens (UserID:-1) with no scope restriction.The ReqContainerAccess middleware does not check package owner visibility, so ghost users can enumerate all container repositories via /_catalog and pull any private image layer.
登录后查看神龙缓存的 POC 文件快照
登录查看