CVE-2022-2761
published 2022-11-09CVE-2022-2761: An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.66%
47.2th percentile
An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| github.com | sylabs_sif_v2 | >= 0 < 2.8.1 | 2.8.1 |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 13.9.0 < 15.3.5 | 15.3.5 |
| gitlab | gitlab | >= 15.4.0 < 15.4.4 | 15.4.4 |
| gitlab | gitlab | >= 15.5.0 < 15.5.2 | 15.5.2 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.0MEDIUM
osv5.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
GitLab Community Edition/Enterprise Edition up to 15.3.4/15.4.3/15.5.1 GFM Reference information disclosure (Issue 370458 / EUVD-2022-35003)
vuldb·2026-05-27·CVSS 5.3
CVE-2022-2761 [MEDIUM] GitLab Community Edition/Enterprise Edition up to 15.3.4/15.4.3/15.5.1 GFM Reference information disclosure (Issue 370458 / EUVD-2022-35003)
A vulnerability categorized as problematic has been discovered in GitLab Community Edition and Enterprise Edition up to 15.3.4/15.4.3/15.5.1. This impacts an unknown function of the component GFM Reference Handler. The manipulation results in information disclosure.
This vulnerability is cataloged as CVE-2022-2761. The attack may be launched remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-c3wj-324v-hrrc: An information disclosure issue in GitLab CE/EE affecting all versions from 14
ghsa_unreviewed·2022-11-10
CVE-2022-2761 [MEDIUM] GHSA-c3wj-324v-hrrc: An information disclosure issue in GitLab CE/EE affecting all versions from 14
An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.
OSV
CVE-2022-2761: An information disclosure issue in GitLab CE/EE affecting all versions from 14
osv·2022-11-09·CVSS 5.3
CVE-2022-2761 [MEDIUM] CVE-2022-2761: An information disclosure issue in GitLab CE/EE affecting all versions from 14
An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.
GHSA
SIF's Digital Signature Hash Algorithms Not Validated
ghsa·2022-10-06·CVSS 5.0
CVE-2022-39237 [MEDIUM] CWE-327 SIF's Digital Signature Hash Algorithms Not Validated
SIF's Digital Signature Hash Algorithms Not Validated
### Impact
The `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.
### Patches
A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.
The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa
### Workarounds
Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
### References
* [CVE-2004-2761](https://nvd.nist.gov/vuln/detail/cve-2004-2761)
* [CVE-2005-4900](https://nvd.nist.gov/vuln/detail/cve-2005-4900)
### For more information
If you have any questions or comme
GitLab
CVE-2022-2761: An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allow
vendor_gitlab·2022-11-09·CVSS 4.3
CVE-2022-2761 [MEDIUM] CVE-2022-2761: An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allow
CVE-2022-2761: An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.
Debian
CVE-2022-2761: gitlab - An information disclosure issue in GitLab CE/EE affecting all versions from 14.4...
vendor_debian·2022·CVSS 4.3
CVE-2022-2761 [MEDIUM] CVE-2022-2761: gitlab - An information disclosure issue in GitLab CE/EE affecting all versions from 14.4...
An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2761.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/370458https://hackerone.com/reports/1653149https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2761.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/370458https://hackerone.com/reports/1653149
2022-11-09
Published