CVE-2022-30781

Vulnerability

CVE-2022-30781 is a remote code execution vulnerability in Gitea, a self-hosted Git service. The bug resides in the handling of git fetch remote URLs; the software fails to escape or sanitize the remote parameter before passing it to the underlying Git command. This allows an attacker who can create or modify repository remotes to inject arbitrary Git arguments. The issue affects Gitea versions prior to 1.16.7 [1][3].

Exploitation

An attacker must have the ability to create or edit a repository, or to control a remote URL used in a fetch operation (for example, by configuring a malicious remote in a repository they have write access to). No user interaction is required beyond the fetch operation being triggered (e.g., by a repository mirror or manual fetch). The attacker crafts a remote URL containing special characters or Git command options. When Gitea executes git fetch with this unescaped remote, the injected options are interpreted by Git, enabling arbitrary command execution [1][3].

Impact

Successful exploitation allows the attacker to achieve remote code execution (RCE) on the Gitea server, with the privileges of the Gitea process. This can lead to full compromise of the Git data, sensitive information disclosure, and potentially lateral movement within the hosting environment [1][4].

Mitigation

The vulnerability is fixed in Gitea version 1.16.7, released on 2022-05-16 [1][3][4]. The fix escapes the remote parameter before passing it to the Git fetch command. Users running Gitea versions prior to 1.16.7 should upgrade immediately. There is no known workaround for unpatched installations. CVE-2022-30781 is not currently listed in CISA's Known Exploited Vulnerabilities catalog.