CVE-2022-1940 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 61.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedJun 6

Latest updateJun 7

Description

A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶NVDgitlab/gitlab13.11.0 — 14.9.5+2

▶CVEListV5gitlab/gitlab>=13.11, <14.9.5, >=14.10, <14.10.4, >=15.0, <15.0.1+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-86mr-824x-hfxf: A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13↗2022-06-07

▶

📋Vendor Advisories

GitLab

CVE-2022-1940: A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4↗2022-06-06

▶

Debian

CVE-2022-1940: gitlab - A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE aff...↗2022

▶