CVE-2022-0477Cross-site Scripting in Gitlab

CWE-79Cross-site Scripting6 documents6 sources
Severity
4.9MEDIUMNVD
EPSS
0.2%
top 59.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GitlabDebian Gitlab
Timeline
PublishedApr 25
Latest updateApr 26

Description

An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab was not correctly handling bulk requests to delete existing packages from the package registries which could result in a Denial of Service under specific conditions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

NVDgitlab/gitlab11.914.5.4+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=11.9, <14.5.4, >=14.6.0, <14.6.4, >=14.7.0, <14.7.1+2
gitlabgitlab/gitlab

🔴Vulnerability Details

1
GHSA
GHSA-3hmc-2fvj-7wmx: An issue has been discovered in GitLab affecting all versions starting from 112022-04-26

📋Vendor Advisories

3
GitLab
CVE-2022-0477: An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all v2022-04-25
Debian
CVE-2022-0477: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.9...2022
Red Hat
Mozilla: Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues (MFSA 2012-29)2012-04-24

💬Community

1
Bugzilla
CVE-2012-0477 Mozilla: Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues (MFSA 2012-29)2012-04-22