CVE-2022-1936 — Incorrect Authorization in Gitlab

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 62.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedJun 6

Latest updateJun 7

Description

Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDgitlab/gitlab12.0.0 — 14.9.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=12.0.0, <14.9.5, >=14.10.0, <14.10.4, >=15.0.0, <15.0.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-vrgc-533g-v7r4: Incorrect authorization in GitLab EE affecting all versions from 12↗2022-06-07

▶

📋Vendor Advisories

GitLab

CVE-2022-1936: Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions sta↗2022-06-06

▶

Debian

CVE-2022-1936: gitlab - Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14....↗2022

▶