CVE-2022-2428 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

7.3HIGHNVD

EPSS

0.4%

top 39.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedOct 17

Description

A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 2.1 | Impact: 5.2

Affected Packages5 packages

▶NVDgitlab/gitlab15.2 — 15.2.4+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=15.0, <15.1.6, >=15.2, <15.2.4, >=15.3, <15.3.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-xcw3-xf4g-cwjj: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15↗2022-10-17

▶

OSV

CVE-2022-2428: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15↗2022-10-17

▶

📋Vendor Advisories

GitLab

CVE-2022-2428: A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attack↗2022-10-17

▶

Debian

CVE-2022-2428: gitlab - A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versi...↗2022

▶