CVE-2022-42968

Vulnerability

Overview CVE-2022-42968 is a command injection vulnerability in Gitea, a self-hosted Git service, affecting versions before 1.17.3. The root cause is that the git backend does not properly sanitize and escape refs (references such as branch or tag names) when constructing arguments to git commands. This oversight allows an attacker to inject arbitrary arguments by crafting malicious ref names.

Exploitation

Prerequisites To exploit this vulnerability, an attacker must be able to create or control a Git ref that will be processed by the vulnerable Gitea instance. This could be achieved through repository operations that create branches or tags with specially crafted names. The attack does not require authentication beyond having permissions to create or push refs in a repository on the instance [1][3].

Impact

Successful exploitation could allow an attacker to execute arbitrary commands on the server running Gitea, potentially leading to full compromise of the application and its data. The severity is underscored by the CVSS score and the security nature of the fix [4].

Mitigation

The vulnerability is fixed in Gitea version 1.17.3, released on October 16, 2022. The fix, implemented in pull request #21463, ensures that refs are sanitized and escaped before being passed to git commands [3][4]. Users are strongly advised to upgrade to this version or later. No workarounds are documented.