Cyber Resilience

CVE-2022-31268

HighPublic PoC

Published: 21 May 2022

Published
21 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9004 99.6th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31268 is a high-severity Path Traversal (CWE-22) vulnerability in Gitblit Gitblit. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-31268 is a path traversal vulnerability, tracked under CWE-22, that affects Gitblit version 1.9.3. It permits reading arbitrary website files when an attacker supplies a request containing the sequence /resources//../ followed by pathnames such as WEB-INF or META-INF. The flaw carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction, with a high impact on confidentiality.

An unauthenticated remote attacker can exploit the issue by sending crafted HTTP requests to the affected Gitblit instance, enabling direct retrieval of sensitive files that would otherwise be inaccessible. The provided references consist of a detailed technical write-up and proof-of-concept demonstrating the traversal technique but contain no information on official patches or mitigation steps. The associated EPSS score stands at 0.9004 with an identical peak value, indicating sustained exploitation interest without evidence of a material rise from a low baseline.

EU & UK References

Vulnerability details

A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitblit
gitblit
1.9.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References