Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-0735Incorrect Authorization in Gitlab

CWE-863Incorrect Authorization6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
57.4%
top 1.84%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
GitlabDebian GitlabGitlab CE
Timeline
PublishedMar 28
Latest updateMar 29

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

NVDgitlab/gitlab12.014.6.5+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=12.10, <14.6.5, >=14.7, <14.7.4, >=14.8, <14.8.2+2
gitlabgitlab/gitlab

🔴Vulnerability Details

2
GHSA
GHSA-fpgr-mg9w-x2hm: An issue has been discovered in GitLab CE/EE affecting all versions starting from 122022-03-29
OSV
CVE-2022-0735: An issue has been discovered in GitLab CE/EE affecting all versions starting from 122022-03-28

💥Exploits & PoCs

1
Nuclei
GitLab CE/EE - Information Disclosure

📋Vendor Advisories

2
GitLab
CVE-2022-0735: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4,2022-03-28
Debian
CVE-2022-0735: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...2022