CVE-2021-22218 — Improper Certificate Validation in Gitlab

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

2.6LOWNVD

EPSS

0.1%

top 68.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJun 8

Latest updateMay 24

Description

All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab12.8.0 — 13.10.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=12.8, <13.10.5, >=13.11, <13.11.5, >=13.12, <13.12.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-6qcx-wmcg-gqpq: All versions of GitLab CE/EE starting with 12↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2021-22218: All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12↗2021-06-08

▶

Debian

CVE-2021-22218: gitlab - All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions sta...↗2021

▶