CVE-2022-2455
published 2022-10-17CVE-2022-2455: A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.00%
58.4th percentile
A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 10.0.0 < 15.1.6 | 15.1.6 |
| gitlab | gitlab | >= 15.2 < 15.2.4 | 15.2.4 |
| gitlab | gitlab | >= 15.3 < 15.3.2 | 15.3.2 |
| gitlab | gitlab_ce | — | — |
| linux | linux_kernel | >= 2.6.16 < 5.4.229 | 5.4.229 |
| linux | linux_kernel | >= 5.11.0 < 5.15.86 | 5.15.86 |
| linux | linux_kernel | >= 5.16.0 < 6.0.16 | 6.0.16 |
| linux | linux_kernel | >= 5.5.0 < 5.10.163 | 5.10.163 |
| linux | linux_kernel | >= 6.1.0 < 6.1.2 | 6.1.2 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat5.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
GitLab Community Edition/Enterprise Edition Large Repository resource consumption (Issue 35996 / EUVD-2022-34716)
vuldb·2026-05-25·CVSS 6.5
CVE-2022-2455 [MEDIUM] GitLab Community Edition/Enterprise Edition Large Repository resource consumption (Issue 35996 / EUVD-2022-34716)
A vulnerability categorized as problematic has been discovered in GitLab Community Edition and Enterprise Edition. Affected by this vulnerability is an unknown functionality of the component Large Repository Handler. Executing a manipulation can lead to resource consumption.
This vulnerability is handled as CVE-2022-2455. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
OSV
configfs: fix possible memory leak in configfs_create_dir()
osv·2025-12-24
CVE-2022-50751 configfs: fix possible memory leak in configfs_create_dir()
configfs: fix possible memory leak in configfs_create_dir()
In the Linux kernel, the following vulnerability has been resolved:
configfs: fix possible memory leak in configfs_create_dir()
kmemleak reported memory leaks in configfs_create_dir():
unreferenced object 0xffff888009f6af00 (size 192):
comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
backtrace:
kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163)
configfs_register_subsystem (fs/configfs/dir.c:1857)
basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
do_one_initcall (init/main.c:1296)
do_init_module (kernel/module/main.c:2455)
...
unreferenced object 0xffff888003ba7180 (size 96):
comm "modprobe", pid 3777, jiffies 429
GHSA
GHSA-fv9w-2hpj-4q5w: A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10
ghsa_unreviewed·2022-10-17
CVE-2022-2455 [MEDIUM] CWE-400 GHSA-fv9w-2hpj-4q5w: A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10
A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.
OSV
CVE-2022-2455: A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10
osv·2022-10-17·CVSS 6.5
CVE-2022-2455 [MEDIUM] CVE-2022-2455: A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10
A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.
GitLab
CVE-2022-2455: A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2
vendor_gitlab·2022-10-17·CVSS 6.5
CVE-2022-2455 [MEDIUM] CWE-400 CVE-2022-2455: A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2
CVE-2022-2455: A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.
Debian
CVE-2022-2455: gitlab - A business logic issue in the handling of large repositories in all versions of ...
vendor_debian·2022·CVSS 6.5
CVE-2022-2455 [MEDIUM] CVE-2022-2455: gitlab - A business logic issue in the handling of large repositories in all versions of ...
A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2455.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/359964https://hackerone.com/reports/1542230https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2455.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/359964https://hackerone.com/reports/1542230
2022-10-17
Published