CVE-2022-42968
published 2022-10-16CVE-2022-42968: Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
PriorityP342critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.05%
60.0th percentile
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.gitea.io | gitea | >= 0 < 1.17.3 | 1.17.3 |
| gitea | gitea | < 1.17.3 | 1.17.3 |
| github.com | go-gitea_gitea | >= 0 < 1.17.3 | 1.17.3 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
gitea: Sanitize and Escape refs in git backend
vendor_redhat·2022-10-16·CVSS 9.8
CVE-2022-42968 [CRITICAL] gitea: Sanitize and Escape refs in git backend
gitea: Sanitize and Escape refs in git backend
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
A flaw was found in Gitea. The self-hosted Git service does not sanitize and escape refs in the git backend. This issue could allow an attacker to craft arguments for the git commands, which will be mishandled.
Statement: The 'gitea' package is a transitive dependency in the Red Hat products and is not used directly in a codebase, which reduces the chances of successful exploitation. Hence, the impact is set as Moderate.
Package: openshift-logging/lokistack-gateway-rhel8 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: openshift-serverless-1/client-kn-rhel8 (OpenShift Serverless) - Not affected
Package: rha
OSV
Gitea vulnerable to Argument Injection in code.gitea.io/gitea
osv·2024-08-21
CVE-2022-42968 Gitea vulnerable to Argument Injection in code.gitea.io/gitea
Gitea vulnerable to Argument Injection in code.gitea.io/gitea
Gitea vulnerable to Argument Injection in code.gitea.io/gitea
OSV
Gitea vulnerable to Argument Injection
osv·2022-10-16
CVE-2022-42968 [CRITICAL] Gitea vulnerable to Argument Injection
Gitea vulnerable to Argument Injection
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
GHSA
Gitea vulnerable to Argument Injection
ghsa·2022-10-16
CVE-2022-42968 [CRITICAL] CWE-88 Gitea vulnerable to Argument Injection
Gitea vulnerable to Argument Injection
Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-10-16
Published