Miggo Logo
Miggo Vulnerability Database
CVE-2022-30781

CVE-2022-30781: Shell command injection in gitea

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-30781
GHSA ID
GHSA-p5f9-c9j9-g8qx
EPSS Score
0.99346%
CWE
CWE-116
Published
5/17/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
code.gitea.io/giteago< 1.16.71.16.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The CWE-116 indicates improper output escaping, matching command injection patterns
  2. The GitHub PR #19487 shows modifications to gitea_uploader.go adding --notags and command escaping
  3. The vulnerability specifically mentions git fetch remote as the injection vector
  4. The patch focuses on argument sanitization in migration handling code
  5. Packet Storm references confirm RCE through git fetch parameter manipulation
  6. The file path matches the component responsible for repository migration operations

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*it** ***or* *.**.* *o*s not *s**p* t** s**ll out *or `*it **t** r*mot*` *llowin* *or s**ll *omm*n* inj**tion

Reasoning

*. T** *W*-*** in*i**t*s improp*r output *s**pin*, m*t**in* *omm*n* inj**tion p*tt*rns *. T** *it*u* PR #***** s*ows mo*i*i**tions to `*it**_uplo***r.*o` ***in* `--not**s` *n* *omm*n* *s**pin* *. T** vuln*r**ility sp**i*i**lly m*ntions `*it **t** r*m