CVE-2022-1111
published 2022-04-04CVE-2022-1111: A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions…
PriorityP410low2.7CVSS 3.1
AVNACLPRHUINSUCNILAN
EPSS
0.61%
44.8th percentile
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 14.0.0 < 14.7.7 | 14.7.7 |
| gitlab | gitlab | >= 14.8.0 < 14.8.5 | 14.8.5 |
| gitlab | gitlab | >= 14.9.0 < 14.9.2 | 14.9.2 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv2.7LOW
vendor_redhat5.4MEDIUM
vendor_debian2.4LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site Scripting in Jenkins Credentials Plugin
ghsa·2022-04-13
CVE-2022-29036 [MEDIUM] CWE-79 Cross-site Scripting in Jenkins Credentials Plugin
Cross-site Scripting in Jenkins Credentials Plugin
Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
GHSA
GHSA-2834-55v8-f2v4: A business logic error in Project Import in GitLab CE/EE versions 14
ghsa_unreviewed·2022-04-05
CVE-2022-1111 [LOW] CWE-668 GHSA-2834-55v8-f2v4: A business logic error in Project Import in GitLab CE/EE versions 14
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages
OSV
CVE-2022-1111: A business logic error in Project Import in GitLab CE/EE versions 14
osv·2022-04-04·CVSS 2.7
CVE-2022-1111 [LOW] CVE-2022-1111: A business logic error in Project Import in GitLab CE/EE versions 14
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages
Red Hat
credentials: Stored XSS vulnerabilities in jenkins plugin
vendor_redhat·2022-04-12·CVSS 5.4
CVE-2022-29036 [MEDIUM] CWE-79 credentials: Stored XSS vulnerabilities in jenkins plugin
credentials: Stored XSS vulnerabilities in jenkins plugin
Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
A flaw was found in the Jenkins credentials plugin. The Jenkins credentials plugin does not escape the name and description of Credentials parameters on views displaying parameters. This issue results in a stored Cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
GitLab
CVE-2022-1111: A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain c
vendor_gitlab·2022-04-04·CVSS 2.4
CVE-2022-1111 [LOW] CVE-2022-1111: A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain c
CVE-2022-1111: A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages
Debian
CVE-2022-1111: gitlab - A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to ...
vendor_debian·2022·CVSS 2.4
CVE-2022-1111 [LOW] CVE-2022-1111: gitlab - A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to ...
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-04
Published