CVE-2022-2498 — Improper Privilege Management in Gitlab

CWE-269 — Improper Privilege Management5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 57.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedAug 5

Latest updateAug 6

Description

An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDgitlab/gitlab12.8.0 — 15.0.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=12.8, <15.0.5, >=15.1, <15.1.4, >=15.2, <15.2.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-f5vg-g8qw-8p89: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12↗2022-08-06

▶

OSV

CVE-2022-2498: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12↗2022-08-05

▶

📋Vendor Advisories

GitLab

CVE-2022-2498: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 trigg↗2022-08-05

▶

Debian

CVE-2022-2498: gitlab - An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8...↗2022

▶