cbcvebase.
CVE-2022-30781
published 2022-05-16

CVE-2022-30781: Gitea before 1.16.7 does not escape git fetch remote.

PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
87.68%
99.7th percentile
Gitea before 1.16.7 does not escape git fetch remote.

Affected

2 ranges
VendorProductVersion rangeFixed in
code.gitea.iogitea>= 0 < 1.16.71.16.7
giteagitea< 1.16.71.16.7

Detection & IOCsextracted from sources · hover to see the quote

port3000
url/repo/migrate
url/api/v1/version
command--upload-pack=<payload>
otherGitea Version: 1.16.6
  • Detect exploit fingerprinting via GET /user/login followed by version string extraction matching 'Gitea Version: <version>' in the response body — attacker checks for vulnerable versions before 1.16.7.
  • Monitor Gitea repository migration requests (POST to /repo/migrate) where the 'clone_addr' parameter points to an attacker-controlled external host, which is used to serve a malicious Gitea API impersonation.
  • Detect injection of '--upload-pack=' in git fetch 'ref' fields during repository migration pull request data — this is the core RCE injection vector abusing unescaped git fetch remote.
  • An attacker-controlled server impersonates a Gitea instance by responding to /api/v1/version, /api/v1/settings/api, /api/v1/repos/<path>, and /api/v1/repos/<path>/pulls endpoints; monitor outbound HTTP from Gitea to unexpected hosts on these API paths during migration.
  • The exploit uses the default payload 'cmd/unix/reverse_bash' delivered via the --upload-pack argument; monitor for reverse shell processes spawned as the Gitea service user.
  • The exploit sets WfsDelay to 30 seconds and HTTPDELAY to 12 seconds; anomalous long-lived HTTP connections from Gitea to external hosts during migration may indicate exploitation in progress.
  • ·The vulnerability only affects Gitea versions before 1.16.7; instances already upgraded are not affected.
  • ·Exploitation requires the attacker to have a valid authenticated account on the Gitea instance (USERNAME/PASSWORD options are mandatory), limiting exposure to authenticated users only.
  • ·The Gitea [migrations] settings may block the exploit; the module handles this case and aborts if migration is rejected by server policy.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.