cbcvebase.
CVE-2022-2185
published 2022-07-01

CVE-2022-2185: A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where…

PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
76.88%
99.5th percentile
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 14.0.0 < 14.10.514.10.5
gitlabgitlab>= 15.0.0 < 15.0.415.0.4

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/users/sign_in
hash003236d7e2c5f1f035dc8b67026d7583ee198b568932acd8faeac18cec673dfa
hash1062bbba2e9b04e360569154a8df8705a75d9e17de1a3a9acd5bd20f000fec8b
hash1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8
hash1ae98447c220181b7bd2dfe88018cb6e1b1e4d12d7b8c224d651a48ed2d95dfe
hash1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7
hash1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98
hash2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be
hash301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0
hash383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7
hash4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7
hash50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9
hash515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe
hash57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de
hash5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4
hash5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f
hash6a58066d1bde4b6e661fbd5bde83d2dd90615ab409b8c8c36e04954fbd923424
hash6eb5eaa5726150b8135a4fd09118cfd6b29f128586b7fa5019a04f1c740e9193
hash6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef
hash739a920f5840de93f944ec86c5a181d0205f1d9e679a4df1b9bf5b0882ab848a
hash775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df
hash7d0792b17e1d2ccac7c6820dda1b54020b294006d7867b7d78a05060220a0213
hash8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353
hash90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159
hash95ae8966ec1e6021f2553c7d275217fcfecd5a7f0b206151c5fb701beb7baf1e
hasha4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d
hasha6d68fb0380bece011b0180b2926142630414c1d7a3e268fb461c51523b63778
hasha743f974bacea01ccc609dcb79247598bd2896f64377ce4a9f9d0333ab7b274e
hasha8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2
hashba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1
hashc91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209
hashcfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5
hashe539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee
hashf8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac
hashff058b10a8dce9956247adba2e410a7f80010a236b2269fb53e0df5cd091e61d
yara
regex: '(?:application-)(\S{64})(?:\.css)'
  • Shodan/FOFA/Google dork for exposed GitLab instances: Shodan queries 'http.title:"GitLab"' and 'cpe:"cpe:2.3:a:gitlab:gitlab"'; FOFA query 'title="gitlab"'; Google query 'intitle:"gitlab"'.
  • Vulnerability is triggered via the project import functionality by an authenticated user with import permissions; monitor GitLab project import events for anomalous or externally-sourced project archives.
  • ·Exploitation requires an authenticated session with project-import privileges (CVSS PR:L). Unauthenticated detection is limited to version fingerprinting via the CSS asset hash.
  • ·Fixed versions are GitLab CE/EE 14.10.5, 15.0.4, and 15.1.1. Instances running these or later versions will not match the vulnerable CSS hash list.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.9CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.