CVE-2022-27313: Arbitrary file deletion in gitea
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64987%
CWE
-
Published
5/4/2022
Updated
2/1/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
code.gitea.io/gitea | go | < 1.16.4 | 1.16.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper path validation in LFS operations. Analysis of the fix in PR #19072 shows critical changes to: 1) The storage.Delete()
function in local.go
added path containment checks, indicating previous lack of validation. 2) The LFS router in lfs.go
required additional security checks. The CVE description matches these code patterns - unvalidated user input in file deletion operations enabled arbitrary file deletion. The high confidence comes from direct correlation between the vulnerability description, CWE-22 path traversal class, and the specific path validation fixes implemented.