CVE-2022-1417 — Incorrect Authorization in Gitlab

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 48.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedMay 10

Latest updateMay 11

Description

Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab8.12.0 — 14.8.6+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.10, <14.10.1, >=14.9, <14.9.4, >=8.12, <14.8.6+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-3352-m362-5wfx: Improper access control in GitLab CE/EE affecting all versions starting from 8↗2022-05-11

▶

📋Vendor Advisories

GitLab

CVE-2022-1417: Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and al↗2022-05-10

▶

Debian

CVE-2022-1417: gitlab - Improper access control in GitLab CE/EE affecting all versions starting from 8.1...↗2022

▶