CVE-2022-2428
published 2022-10-17CVE-2022-2428: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to…
PriorityP341high7.3CVSS 3.1
AVNACLPRLUIRSUCHIHAN
EPSS
0.75%
50.5th percentile
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | < 15.1.6 | 15.1.6 |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 15.2 < 15.2.4 | 15.2.4 |
| gitlab | gitlab | >= 15.3 < 15.3.2 | 15.3.2 |
| gitlab | gitlab_ee | — | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
osv7.3HIGH
vendor_debian6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
GitLab Enterprise Edition Jupyter Notebook Viewer access control (Issue 36227 / EUVD-2022-34689)
vuldb·2026-05-25·CVSS 7.3
CVE-2022-2428 [HIGH] GitLab Enterprise Edition Jupyter Notebook Viewer access control (Issue 36227 / EUVD-2022-34689)
A vulnerability was found in GitLab Enterprise Edition. It has been rated as critical. This affects an unknown part of the component Jupyter Notebook Viewer. The manipulation leads to improper access controls.
This vulnerability is traded as CVE-2022-2428. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
GHSA-xcw3-xf4g-cwjj: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15
ghsa_unreviewed·2022-10-17
CVE-2022-2428 [HIGH] CWE-79 GHSA-xcw3-xf4g-cwjj: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests
OSV
CVE-2022-2428: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15
osv·2022-10-17·CVSS 7.3
CVE-2022-2428 [HIGH] CVE-2022-2428: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests
GitLab
CVE-2022-2428: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attack
vendor_gitlab·2022-10-17·CVSS 6.4
CVE-2022-2428 [MEDIUM] CWE-79 CVE-2022-2428: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attack
CVE-2022-2428: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests
Debian
CVE-2022-2428: gitlab - A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versi...
vendor_debian·2022·CVSS 6.4
CVE-2022-2428 [MEDIUM] CVE-2022-2428: gitlab - A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versi...
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2428.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/362272https://hackerone.com/reports/1563379https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2428.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/362272https://hackerone.com/reports/1563379https://gitlab.com/gitlab-org/gitlab/-/issues/362272
2022-10-17
Published