CVE-2022-2501 — Incorrect Authorization in Gitlab

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 64.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedAug 5

Latest updateAug 6

Description

An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDgitlab/gitlab12.0.0 — 15.0.5+2

▶CVEListV5gitlab/gitlab>=12.0, <15.0.5, >=15.1, <15.1.4, >=15.2, <15.2.1+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-5c73-fgcq-grvm: An improper access control issue in GitLab EE affecting all versions from 12↗2022-08-06

▶

OSV

CVE-2022-2501: An improper access control issue in GitLab EE affecting all versions from 12↗2022-08-05

▶

📋Vendor Advisories

GitLab

CVE-2022-2501: An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows↗2022-08-05

▶

Debian

CVE-2022-2501: gitlab - An improper access control issue in GitLab EE affecting all versions from 12.0 p...↗2022

▶