CVE-2022-30781
published 2022-05-16CVE-2022-30781: Gitea before 1.16.7 does not escape git fetch remote.
PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
87.68%
99.7th percentile
Gitea before 1.16.7 does not escape git fetch remote.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.16.7 | 1.16.7 |
| gitea | gitea | < 1.16.7 | 1.16.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit fingerprinting via GET /user/login followed by version string extraction matching 'Gitea Version: <version>' in the response body — attacker checks for vulnerable versions before 1.16.7. ↗
- →Monitor Gitea repository migration requests (POST to /repo/migrate) where the 'clone_addr' parameter points to an attacker-controlled external host, which is used to serve a malicious Gitea API impersonation. ↗
- →Detect injection of '--upload-pack=' in git fetch 'ref' fields during repository migration pull request data — this is the core RCE injection vector abusing unescaped git fetch remote. ↗
- →An attacker-controlled server impersonates a Gitea instance by responding to /api/v1/version, /api/v1/settings/api, /api/v1/repos/<path>, and /api/v1/repos/<path>/pulls endpoints; monitor outbound HTTP from Gitea to unexpected hosts on these API paths during migration. ↗
- →The exploit uses the default payload 'cmd/unix/reverse_bash' delivered via the --upload-pack argument; monitor for reverse shell processes spawned as the Gitea service user. ↗
- →The exploit sets WfsDelay to 30 seconds and HTTPDELAY to 12 seconds; anomalous long-lived HTTP connections from Gitea to external hosts during migration may indicate exploitation in progress. ↗
- ·The vulnerability only affects Gitea versions before 1.16.7; instances already upgraded are not affected. ↗
- ·Exploitation requires the attacker to have a valid authenticated account on the Gitea instance (USERNAME/PASSWORD options are mandatory), limiting exposure to authenticated users only. ↗
- ·The Gitea [migrations] settings may block the exploit; the module handles this case and aborts if migration is rejected by server policy. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Shell command injection in gitea in code.gitea.io/gitea
osv·2024-08-21
CVE-2022-30781 Shell command injection in gitea in code.gitea.io/gitea
Shell command injection in gitea in code.gitea.io/gitea
Shell command injection in gitea in code.gitea.io/gitea
OSV
Shell command injection in gitea
osv·2022-05-17
CVE-2022-30781 [HIGH] Shell command injection in gitea
Shell command injection in gitea
Gitea before 1.16.7 does not escape the shell out for `git fetch remote` allowing for shell command injection
GHSA
Shell command injection in gitea
ghsa·2022-05-17
CVE-2022-30781 [HIGH] CWE-116 Shell command injection in gitea
Shell command injection in gitea
Gitea before 1.16.7 does not escape the shell out for `git fetch remote` allowing for shell command injection
No detection rules found.
Exploit-DB
Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)
exploitdb·2022-09-15·CVSS 7.5
CVE-2022-30781 [HIGH] Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)
Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)
---
# Exploit Title: Gitea Git Fetch Remote Code Execution
# Date: 09/14/2022
# Exploit Author: samguy
# Vendor Homepage: https://gitea.io
# Software Link: https://dl.gitea.io/gitea/1.16.6
# Version: 'Gitea Git Fetch Remote Code Execution',
'Description' => %q{
This module exploits Git fetch command in Gitea repository migration
process that leads to a remote command execution on the system.
This vulnerability affect Gitea before 1.16.7 version.
},
'Author' => [
'wuhan005 & li4n0', # Original PoC
'krastanoel' # MSF Module
],
'References' => [
['CVE', '2022-30781'],
['URL', 'https://tttang.com/archive/1607/']
],
'DisclosureDate' => '2022-05-16',
'License' => MSF_LICENSE,
'Platform' => %w[unix win],
'Arch' => ARCH_CMD,
'Privileged' =>
Metasploit
Gitea Git Fetch Remote Code Execution
metasploit
Gitea Git Fetch Remote Code Execution
Gitea Git Fetch Remote Code Execution
This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affect Gitea before 1.16.7 version.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.htmlhttps://blog.gitea.io/2022/05/gitea-1.16.7-is-released/https://github.com/go-gitea/gitea/pull/19487https://github.com/go-gitea/gitea/pull/19490http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.htmlhttps://blog.gitea.io/2022/05/gitea-1.16.7-is-released/https://github.com/go-gitea/gitea/pull/19487https://github.com/go-gitea/gitea/pull/19490
2022-05-16
Published