CVE-2022-1460Incorrect Authorization in Gitlab

CWE-863Incorrect AuthorizationCWE-287Improper AuthenticationCWE-663Use of a Non-reentrant Function in a Concurrent Context5 documents5 sources
Severity
4.9MEDIUMNVD
EPSS
0.3%
top 50.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GitlabDebian Gitlab
Timeline
PublishedMay 11
Latest updateFeb 26

Description

An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

NVDgitlab/gitlab9.2.014.8.6+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=14.10, <14.10.1, >=14.9, <14.9.4, >=9.2, <14.8.6+2
gitlabgitlab/gitlab

🔴Vulnerability Details

1
GHSA
GHSA-q7pq-xhw5-p4xw: An issue has been discovered in GitLab affecting all versions starting from 92022-05-12

📋Vendor Advisories

3
Red Hat
kernel: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()2025-02-26
GitLab
CVE-2022-1460: An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all vers2022-05-11
Debian
CVE-2022-1460: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.2 ...2022