Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-2185OS Command Injection in Gitlab

CWE-78OS Command InjectionCWE-732Incorrect Permission AssignmentCWE-476NULL Pointer Dereference7 documents7 sources
Severity
8.8HIGHNVD
EPSS
90.1%
top 0.41%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
GitlabDebian Gitlab
Timeline
PublishedJul 1
Latest updateAug 25

Description

A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDgitlab/gitlab14.0.014.10.5+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=14.0, <14.10.5, >=15.0, <15.0.4, >=15.1, <15.1.1+2
gitlabgitlab/gitlab

🔴Vulnerability Details

1
GHSA
GHSA-rqgw-47f7-cww6: A critical issue has been discovered in GitLab affecting all versions starting from 142022-07-02

💥Exploits & PoCs

1
Nuclei
GitLab CE/EE - Remote Code Execution

📋Vendor Advisories

2
GitLab
CVE-2022-2185: A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.2022-07-01
Debian
CVE-2022-2185: gitlab - A critical issue has been discovered in GitLab affecting all versions starting f...2022

💬Community

1
HackerOne
Unauthorized access2022-08-25