CVE-2022-0123 — Improper Certificate Validation in Gitlab

CWE-295 — Improper Certificate Validation6 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

0.1%

top 75.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedMar 28

Latest updateMar 29

Description

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages4 packages

▶NVDgitlab/gitlab14.5.0 — 14.5.3+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab<14.4.5, >=14.5.0, <14.5.3, >=14.6.0, <14.6.1+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-h2r9-r9v2-fvwp: An issue has been discovered affecting GitLab versions prior to 14↗2022-03-29

▶

OSV

CVE-2022-0123: An issue has been discovered affecting GitLab versions prior to 14↗2022-03-28

▶

💥Exploits & PoCs

Nuclei

WordPress FeedWordPress < 2022.0123 - Authenticated Cross-Site Scripting

▶

📋Vendor Advisories

GitLab

CVE-2022-0123: An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not vali↗2022-03-28

▶

Debian

CVE-2022-0123: gitlab - An issue has been discovered affecting GitLab versions prior to 14.4.5, between ...↗2022

▶