CVE-2022-0738 — Insufficiently Protected Credentials in Gitlab

CWE-522 — Insufficiently Protected Credentials CWE-2646 documents6 sources

Severity

7.5HIGHNVD

CISA5.3

EPSS

0.2%

top 59.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedMar 28

Latest updateMay 25

Description

An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDgitlab/gitlab10.0 — 14.6.5+2

▶CVEListV5gitlab/gitlab>=14.6, <14.6.5, >=14.7.0, <14.7.4, >=14.8.0, <14.8.2+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-3g66-9x43-7v6m: An issue has been discovered in GitLab affecting all versions starting from 14↗2022-03-29

▶

OSV

CVE-2022-0738: An issue has been discovered in GitLab affecting all versions starting from 14↗2022-03-28

▶

📋Vendor Advisories

CISA

Red Hat JBoss Authentication Bypass Vulnerability↗2022-05-25

▶

GitLab

CVE-2022-0738: An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all ver↗2022-03-28

▶

Debian

CVE-2022-0738: gitlab - An issue has been discovered in GitLab affecting all versions starting from 14.6...↗2022

▶