CVE-2022-30781
CVE-2022-30781
Vexday Risk Score
62High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Popular PoC on GitHub (85 stars) — exploitation code widely available.
CVSS —EPSS 87.7%KEV nãoPoC públicaNuclei —Metasploit simPatch —
Lifecycle
16 May 2022Metasploit module available
16 May 2022Published on NVD
22 May 2022Public PoC
Weaponization speed
6 daysto first PoC
same dayto Metasploit module
Weaponized quickly — attackers prioritized this vulnerability. Patch urgently.
Recommendation: Plan a near-term fix — a public PoC already exists.
Gitea before 1.16.7 does not escape git fetch remote.
Affected products
n/a · n/apublic PoCs found — 4
githubgithub.com/wuhan005/CVE-2022-30781★ 85exploitdbwww.exploit-db.com/exploits/51009unverifiedcve_referencepacketstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.htmlhttps://blog.gitea.io/2022/05/gitea-1.16.7-is-released/https://github.com/go-gitea/gitea/pull/19487https://github.com/go-gitea/gitea/pull/19490