CVE-2022-0740
published 2022-04-04CVE-2022-0740: Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.97%
57.5th percentile
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 14.8.0 < 14.8.5 | 14.8.5 |
| gitlab | gitlab | >= 14.9.0 < 14.9.2 | 14.9.2 |
| gitlab | gitlab | >= 7.8.0 < 14.7.7 | 14.7.7 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2022-0740: Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.
vendor_gitlab·2022-04-04·CVSS 3.1
CVE-2022-0740 [LOW] CWE-863 CVE-2022-0740: Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.
CVE-2022-0740: Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches.
Debian
CVE-2022-0740: gitlab - Incorrect authorization in the Asana integration's branch restriction feature in...
vendor_debian·2022·CVSS 3.1
CVE-2022-0740 [LOW] CVE-2022-0740: gitlab - Incorrect authorization in the Asana integration's branch restriction feature in...
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-rq9r-r987-7r36: Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7
ghsa_unreviewed·2022-04-05
CVE-2022-0740 [MEDIUM] CWE-863 GHSA-rq9r-r987-7r36: Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches.
OSV
CVE-2022-0740: Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7
osv·2022-04-04·CVSS 4.3
CVE-2022-0740 [MEDIUM] CVE-2022-0740: Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0740.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/349359https://hackerone.com/reports/1411216https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0740.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/349359https://hackerone.com/reports/1411216
2022-04-04
Published