{
  "threat_severity" : "Moderate",
  "public_date" : "2022-10-16T00:00:00Z",
  "bugzilla" : {
    "description" : "gitea: Sanitize and Escape refs in git backend",
    "id" : "2135739",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2135739"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "details" : [ "Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.", "A flaw was found in Gitea. The self-hosted Git service does not sanitize and escape refs in the git backend. This issue could allow an attacker to craft arguments for the git commands, which will be mishandled." ],
  "statement" : "The 'gitea' package is a transitive dependency in the Red Hat products and is not used directly in a codebase, which reduces the chances of successful exploitation. Hence, the impact is set as Moderate.",
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/lokistack-gateway-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Not affected",
    "package_name" : "openshift-serverless-1/client-kn-rhel8",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/acm-search-v2-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 3",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:3"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 3",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-scanner-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:3"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Not affected",
    "package_name" : "openshift-gitops-1/kam-delivery-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Not affected",
    "package_name" : "openshift-gitops-kam",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-builder-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-42968\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-42968\nhttps://github.com/advisories/GHSA-w8xw-7crf-h23x" ],
  "name" : "CVE-2022-42968",
  "csaw" : false
}