CVE-2022-1416
published 2022-05-19CVE-2022-1416: Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.71%
48.9th percentile
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 1.0.2 < 14.8.6 | 14.8.6 |
| gitlab | gitlab | >= 14.9.0 < 14.9.4 | 14.9.4 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2h7w-85g4-9cx4: Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1
ghsa_unreviewed·2022-05-20
CVE-2022-1416 [MEDIUM] CWE-79 GHSA-2h7w-85g4-9cx4: Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling
GitLab
CVE-2022-1416: Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14
vendor_gitlab·2022-05-19·CVSS 4.3
CVE-2022-1416 [MEDIUM] CWE-79 CVE-2022-1416: Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14
CVE-2022-1416: Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling
Debian
CVE-2022-1416: gitlab - Missing sanitization of data in Pipeline error messages in GitLab CE/EE affectin...
vendor_debian·2022·CVSS 4.3
CVE-2022-1416 [MEDIUM] CVE-2022-1416: gitlab - Missing sanitization of data in Pipeline error messages in GitLab CE/EE affectin...
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1416.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/342988https://hackerone.com/reports/1362405https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1416.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/342988https://hackerone.com/reports/1362405
2022-05-19
Published