CVE-2022-2307
published 2022-08-05CVE-2022-2307: A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all…
PriorityP414low3.8CVSS 3.1
AVNACLPRHUINSUCLILAN
EPSS
0.46%
36.5th percentile
A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 13.0.0 < 15.0.5 | 15.0.5 |
| gitlab | gitlab | >= 15.1.0 < 15.1.4 | 15.1.4 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.13.8LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
osv3.8LOW
vendor_debian3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2022-2307: A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, al
vendor_gitlab·2022-08-05·CVSS 3.5
CVE-2022-2307 [LOW] CWE-459 CVE-2022-2307: A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, al
CVE-2022-2307: A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
Debian
CVE-2022-2307: gitlab - A lack of cascading deletes in GitLab CE/EE affecting all versions starting from...
vendor_debian·2022·CVSS 3.5
CVE-2022-2307 [LOW] CVE-2022-2307: gitlab - A lack of cascading deletes in GitLab CE/EE affecting all versions starting from...
A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-xpg3-c2hf-x9vf: A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13
ghsa_unreviewed·2022-08-06
CVE-2022-2307 [LOW] CWE-459 GHSA-xpg3-c2hf-x9vf: A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13
A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
OSV
CVE-2022-2307: A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13
osv·2022-08-05·CVSS 3.8
CVE-2022-2307 [LOW] CVE-2022-2307: A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13
A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-08-05
Published