Miggo Logo

CVE-2022-27313: Arbitrary file deletion in gitea

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.64987%
CWE
-
Published
5/4/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
code.gitea.io/giteago< 1.16.41.16.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path validation in LFS operations. Analysis of the fix in PR #19072 shows critical changes to: 1) The storage.Delete() function in local.go added path containment checks, indicating previous lack of validation. 2) The LFS router in lfs.go required additional security checks. The CVE description matches these code patterns - unvalidated user input in file deletion operations enabled arbitrary file deletion. The high confidence comes from direct correlation between the vulnerability description, CWE-22 path traversal class, and the specific path validation fixes implemented.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*itr*ry *il* **l*tion vuln*r**ility in *it** v*.**.* *llows *tt**k*rs to **us* * **ni*l o* S*rvi** (*oS) vi* **l*tin* t** *on*i*ur*tion *il*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* v*li**tion in L*S op*r*tions. *n*lysis o* t** *ix in PR #***** s*ows *riti**l ***n**s to: *) T** `stor***.**l*t*()` *un*tion in `lo**l.*o` ***** p*t* *ont*inm*nt ****ks, in*i**tin* pr*vious l**k o* v*li**tio