CVE-2022-2498
published 2022-08-05CVE-2022-2498: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.69%
48.0th percentile
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 12.8.0 < 15.0.5 | 15.0.5 |
| gitlab | gitlab | >= 15.1.0 < 15.1.4 | 15.1.4 |
| gitlab | gitlab_ee | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f5vg-g8qw-8p89: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12
ghsa_unreviewed·2022-08-06
CVE-2022-2498 [HIGH] CWE-269 GHSA-f5vg-g8qw-8p89: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
OSV
CVE-2022-2498: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12
osv·2022-08-05·CVSS 7.5
CVE-2022-2498 [HIGH] CVE-2022-2498: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
GitLab
CVE-2022-2498: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 trigg
vendor_gitlab·2022-08-05·CVSS 6.4
CVE-2022-2498 [MEDIUM] CWE-269 CVE-2022-2498: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 trigg
CVE-2022-2498: An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
Debian
CVE-2022-2498: gitlab - An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8...
vendor_debian·2022·CVSS 6.4
CVE-2022-2498 [MEDIUM] CVE-2022-2498: gitlab - An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8...
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2498.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/243703https://hackerone.com/reports/966824https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2498.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/243703https://hackerone.com/reports/966824
2022-08-05
Published