CVE-2022-0172 — Incorrect Authorization in Gitlab

CWE-863 — Incorrect Authorization CWE-20 — Improper Input Validation6 documents6 sources

Severity

6.5MEDIUMNVD

CISA8.6

EPSS

0.1%

top 75.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJan 18

Latest updateMar 3

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge requests and milestones.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

▶NVDgitlab/gitlab13.2 — 14.4.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=13.2, <14.4.5, >=14.5, <14.5.3, >=14.6, <14.6.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-jm36-4mv9-x2pw: An issue has been discovered in GitLab CE/EE affecting all versions starting with 12↗2022-01-19

▶

OSV

CVE-2022-0172: An issue has been discovered in GitLab CE/EE affecting all versions starting with 12↗2022-01-18

▶

📋Vendor Advisories

CISA

Cisco IOS and IOS XE Software Improper Input Validation Vulnerability↗2022-03-03

▶

GitLab

CVE-2022-0172: An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP rest↗2022-01-18

▶

Debian

CVE-2022-0172: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit...↗2022

▶