CVE-2022-1423 — Missing Authorization in Gitlab

CWE-862 — Missing Authorization CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 73.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedMay 19

Latest updateMay 20

Description

Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDgitlab/gitlab1.0.2 — 14.8.6+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=1.0.2, <14.8.6, >=14.10.0, <14.10.1, >=14.9.0, <14.9.4+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-2f58-3p8j-4mx4: Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1↗2022-05-20

▶

📋Vendor Advisories

GitLab

CVE-2022-1423: Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.↗2022-05-19

▶

Debian

CVE-2022-1423: gitlab - Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting a...↗2022

▶