CVE-2022-0125Missing Authorization in Gitlab

CWE-862Missing AuthorizationCWE-269Improper Privilege ManagementCWE-20Improper Input Validation6 documents6 sources
Severity
4.3MEDIUMNVD
CISA9.8
EPSS
0.3%
top 48.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GitlabDebian Gitlab
Timeline
PublishedJan 18
Latest updateMar 25

Description

An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDgitlab/gitlab12.014.4.5+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=12.0, <14.4.5, >=14.5.0, <14.5.3, >=14.6.0, <14.6.2+2
gitlabgitlab/gitlab

🔴Vulnerability Details

2
GHSA
GHSA-75xf-j8f2-9vxq: An issue has been discovered in GitLab affecting all versions starting from 122022-01-19
OSV
CVE-2022-0125: An issue has been discovered in GitLab affecting all versions starting from 122022-01-18

📋Vendor Advisories

3
CISA
Cisco VPN Routers Remote Code Execution Vulnerability2022-03-25
GitLab
CVE-2022-0125: An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all v2022-01-18
Debian
CVE-2022-0125: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.0...2022