Miggo Logo
Miggo Vulnerability Database
CVE-2022-31268

CVE-2022-31268: Path traversal in Gitblit

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-31268
GHSA ID
GHSA-2c65-rq62-fqhq
EPSS Score
0.99031%
CWE
CWE-22
Published
5/22/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.gitblit:gitblitmaven<= 1.9.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in resource handling via '/resources//../' patterns. In Java web applications, servlets typically map URL patterns to file system paths. The PoC shows traversal through WEB-INF/META-INF paths, which are protected directories. The double-slash and '../' sequence suggests inadequate path normalization in the resource-serving logic. The ResourceServlet class (common name pattern in Java web apps) would logically handle '/resources/*' requests. The vulnerability stems from directly using unsanitized URL-derived paths when accessing files, without resolving canonical paths or checking for directory escapes. This matches CWE-22's improper path limitation pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* P*t* Tr*v*rs*l vuln*r**ility in *it*lit *.*.* **n l*** to r***in* w**sit* *il*s vi* /r*sour**s//../ (*.*., *ollow** *y * W**-IN* or M*T*-IN* p*t*n*m*).

Reasoning

T** vuln*r**ility m*ni**sts in r*sour** **n*lin* vi* '/r*sour**s//../' p*tt*rns. In J*v* w** *ppli**tions, s*rvl*ts typi**lly m*p URL p*tt*rns to *il* syst*m p*t*s. T** Po* s*ows tr*v*rs*l t*rou** `W**-IN*/M*T*-IN*` p*t*s, w*i** *r* prot**t** *ir**to