CVE-2022-2527
published 2022-10-17CVE-2022-2527: An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2…
PriorityP343high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
0.85%
53.5th percentile
An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 14.9.0 < 15.1.6 | 15.1.6 |
| gitlab | gitlab | >= 15.2 < 15.2.4 | 15.2.4 |
| gitlab | gitlab | >= 15.3 < 15.3.2 | 15.3.2 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
osv8.0HIGH
vendor_debian7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
GitLab Community Edition/Enterprise Edition Incident Timeline injection (Issue 36867 / EUVD-2022-34782)
vuldb·2026-05-26·CVSS 8.0
CVE-2022-2527 [HIGH] GitLab Community Edition/Enterprise Edition Incident Timeline injection (Issue 36867 / EUVD-2022-34782)
A vulnerability identified as critical has been detected in GitLab Community Edition and Enterprise Edition. Affected by this issue is some unknown functionality of the component Incident Timeline Handler. The manipulation leads to injection.
This vulnerability is uniquely identified as CVE-2022-2527. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
OSV
CVE-2022-2527: An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14
osv·2022-10-17·CVSS 8.0
CVE-2022-2527 [HIGH] CVE-2022-2527: An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14
An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests.
GHSA
GHSA-x995-4q6w-crwj: An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14
ghsa_unreviewed·2022-10-17
CVE-2022-2527 [HIGH] CWE-79 GHSA-x995-4q6w-crwj: An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14
An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests.
GitLab
CVE-2022-2527: An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from
vendor_gitlab·2022-10-17·CVSS 7.3
CVE-2022-2527 [HIGH] CWE-79 CVE-2022-2527: An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from
CVE-2022-2527: An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests.
Debian
CVE-2022-2527: gitlab - An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all...
vendor_debian·2022·CVSS 7.3
CVE-2022-2527 [HIGH] CVE-2022-2527: gitlab - An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all...
An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2527.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/368676https://hackerone.com/reports/1647446https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2527.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/368676https://hackerone.com/reports/1647446https://gitlab.com/gitlab-org/gitlab/-/issues/368676
2022-10-17
Published