CVE-2022-1188 — Server-Side Request Forgery in Gitlab

CWE-918 — Server-Side Request Forgery CWE-1188 — Initialization of a Resource with an Insecure Default CWE-416 — Use After Free CWE-306 — Missing Authentication for Critical Function14 documents9 sources

Severity

5.3MEDIUMNVD

CISA9.8

EPSS

0.3%

top 44.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE +6 more

Timeline

PublishedApr 4

Latest updateFeb 26

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the repository mirroring feature was possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages11 packages

▶NVDgitlab/gitlab12.1.0 — 14.7.7+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=12.1, <14.7.7, >=14.8, <14.8.5, >=14.9, <14.9.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

Apache Isis webconsole module may directly query the database in prototype mode↗2022-10-19

▶

GHSA

WildFly vulnerable to Insecure Default Initialization of Resource↗2022-09-14

▶

GHSA

GHSA-9hcx-gvx4-r4rp: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12↗2022-04-05

▶

OSV

CVE-2022-1188: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12↗2022-04-04

▶

📋Vendor Advisories

Red Hat

kernel: Drivers: hv: vmbus: Fix initialization of device object in vmbus_device_register()↗2025-02-26

▶

Microsoft

Speculative execution attacks in KVM VMX↗2023-01-10

▶

Red Hat

kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks↗2022-09-28

▶

CISA

Apache CouchDB Insecure Default Initialization of Resource Vulnerability↗2022-08-25

▶

Red Hat

WildFly: possible information disclosure↗2022-04-08

▶