CVE-2022-0154 — Cross-Site Request Forgery in Gitlab

CWE-352 — Cross-Site Request Forgery CWE-3996 documents6 sources

Severity

8.0HIGHNVD

CISA7.5

EPSS

0.1%

top 66.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedJan 18

Latest updateMar 3

Description

An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages4 packages

▶NVDgitlab/gitlab7.7 — 14.4.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.5.0, <14.5.3, >=14.6.0, <14.6.2, >=7.7, <14.4.5+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-c8m7-c9rp-w2g3: An issue has been discovered in GitLab affecting all versions starting from 7↗2022-01-19

▶

OSV

CVE-2022-0154: An issue has been discovered in GitLab affecting all versions starting from 7↗2022-01-18

▶

📋Vendor Advisories

CISA

Cisco IOS Software Integrated Services Module for VPN Denial-of-Service Vulnerability↗2022-03-03

▶

GitLab

CVE-2022-0154: An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all ve↗2022-01-18

▶

Debian

CVE-2022-0154: gitlab - An issue has been discovered in GitLab affecting all versions starting from 7.7 ...↗2022

▶