CVE-2022-2227 — Incorrect Permission Assignment in Gitlab

CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 63.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJul 1

Latest updateJul 2

Description

Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab15.0.0 — 15.0.4+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab<14.10.5, >=15.0, <15.0.4, >=15.1, <15.1.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-294h-9fqc-xfq7: Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14↗2022-07-02

▶

OSV

CVE-2022-2227: Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14↗2022-07-01

▶

📋Vendor Advisories

GitLab

CVE-2022-2227: Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1↗2022-07-01

▶

Debian

CVE-2022-2227: gitlab - Improper access control in the runner jobs API in GitLab CE/EE affecting all ver...↗2022

▶