CVE-2022-1460
published 2022-05-11CVE-2022-1460: An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions…
PriorityP426medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
1.09%
61.3th percentile
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 14.9.0 < 14.9.4 | 14.9.4 |
| gitlab | gitlab | >= 9.2.0 < 14.8.6 | 14.8.6 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
vendor_debian6.1MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()
vendor_redhat·2025-02-26·CVSS 5.5
CVE-2022-49265 [MEDIUM] CWE-663 kernel: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()
kernel: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()
In the Linux kernel, the following vulnerability has been resolved:
PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove()
When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following
sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called
with a spinlock being held.
[ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460
[ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0
[ 0.029219] preempt_count: 1, expected: 0
[ 0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489
[ 0.029245] Hardware name: Thundercomm TurboX CM2290 (DT)
[ 0.029256] Call trace:
[ 0.029265] dump_backtrace.part.0+0xbc/0xd0
GitLab
CVE-2022-1460: An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all vers
vendor_gitlab·2022-05-11·CVSS 6.1
CVE-2022-1460 [MEDIUM] CWE-863 CVE-2022-1460: An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all vers
CVE-2022-1460: An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user.
Debian
CVE-2022-1460: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.2 ...
vendor_debian·2022·CVSS 6.1
CVE-2022-1460 [MEDIUM] CVE-2022-1460: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.2 ...
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-q7pq-xhw5-p4xw: An issue has been discovered in GitLab affecting all versions starting from 9
ghsa_unreviewed·2022-05-12
CVE-2022-1460 [MEDIUM] CWE-287 GHSA-q7pq-xhw5-p4xw: An issue has been discovered in GitLab affecting all versions starting from 9
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1460.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/118782https://hackerone.com/reports/755078https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1460.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/118782https://hackerone.com/reports/755078
2022-05-11
Published