CVE-2022-2592 — Improper Validation of Specified Quantity in Input in Gitlab

CWE-1284 — Improper Validation of Specified Quantity in Input CWE-20 — Improper Input Validation5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 39.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedOct 17

Description

A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions prior to 15.1.6, 15.2 prior to 15.2.4 and 15.3 prior to 15.3.2 allows an authenticated attacker to create a maliciously large Snippet which when requested with or without authentication places excessive load on the server, potential leading to Denial of Service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDgitlab/gitlab15.2 — 15.2.4+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=12.9.8, <15.1.6, >=15.2, <15.2.4, >=15.3, <15.3.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-4x6r-28wm-339v: A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions prior to 15↗2022-10-17

▶

OSV

CVE-2022-2592: A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions prior to 15↗2022-10-17

▶

📋Vendor Advisories

GitLab

CVE-2022-2592: A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions prior to 15.1.6, 15.2 prior to 15.2.4 and 15.3 prior to 15.↗2022-10-17

▶

Debian

CVE-2022-2592: gitlab - A lack of length validation in Snippet descriptions in GitLab CE/EE affecting al...↗2022

▶