CVE-2022-38795

Vulnerability

CVE-2022-38795 describes a vulnerability in Gitea through version 1.17.1 where repository cloning can be triggered through the migration function [1]. The root cause is that the migration downloaders could rewrite CloneURLs to point to unallowed URLs without sufficient re-validation [3]. This allowed an attacker to bypass intended access controls and clone repositories that should not have been accessible.

Exploitation

An attacker could exploit this by crafting a migration request that specifies a repository whose clone URL, after being rewritten by the migration downloader, points to a location the attacker should not have access to [3]. No special privileges beyond the ability to use the migration feature are required, though the attacker must be able to initiate a migration operation on the target Gitea instance.

Impact

Successful exploitation allows unauthorized cloning of repositories, potentially exposing sensitive source code, configuration files, or other private data stored in version control [1][3]. This could lead to information disclosure and further compromise of related systems.

Mitigation

The vulnerability was fixed in Gitea version 1.17.2, released on September 6, 2022 [4]. The fix adds a double-check on the CloneURL after migration downloaders rewrite it, ensuring only allowed URLs are accepted [3]. Users are strongly advised to update to version 1.17.2 or later to protect their instances.