CVE-2022-31268
Published: 21 May 2022
Summary
CVE-2022-31268 is a high-severity Path Traversal (CWE-22) vulnerability in Gitblit Gitblit. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-31268 is a path traversal vulnerability, tracked under CWE-22, that affects Gitblit version 1.9.3. It permits reading arbitrary website files when an attacker supplies a request containing the sequence /resources//../ followed by pathnames such as WEB-INF or META-INF. The flaw carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction, with a high impact on confidentiality.
An unauthenticated remote attacker can exploit the issue by sending crafted HTTP requests to the affected Gitblit instance, enabling direct retrieval of sensitive files that would otherwise be inaccessible. The provided references consist of a detailed technical write-up and proof-of-concept demonstrating the traversal technique but contain no information on official patches or mitigation steps. The associated EPSS score stands at 0.9004 with an identical peak value, indicating sustained exploitation interest without evidence of a material rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1958
Vulnerability details
A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.