cbcvebase.
CVE-2022-2884
published 2022-10-17

CVE-2022-2884: A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to…

PriorityP185critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
75.72%
99.5th percentile
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 11.3.4 < 15.1.515.1.5
gitlabgitlab>= 15.2 < 15.2.315.2.3
gitlabgitlab>= 15.3 < 15.3.115.3.1
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

url/api/v3/repos///issues
url/api/v3/repos//
url/api/v3/users/
url/repositories/
  • The exploit spins up a fake GitHub server (Flask app) on the attacker machine and supplies its address/port to GitLab's import API. Detect outbound connections from the GitLab server to non-GitHub IP addresses on unusual ports (default 1337) during import operations.
  • The fake GitHub server exposes routes mimicking GitHub API v3 paths (/api/v3/repos, /api/v3/users, /repositories). Detect GitLab making outbound HTTP requests to these paths on non-github.com hosts.
  • The exploit requires a valid GitLab private token (-pt/--private-token). Investigate any recently created or compromised GitLab personal access tokens used in conjunction with import API calls around the time of suspected exploitation.
  • Affected versions are GitLab CE/EE 11.3.4 through 15.1.4, 15.2.0–15.2.2, and 15.3.0. Identify unpatched instances in the environment as a priority for detection and patching.
  • ·Exploitation requires an authenticated GitLab user (valid credentials or private token). Unauthenticated attackers cannot directly exploit this vulnerability.
  • ·The exploit was tested specifically against the 'gitlab/gitlab-ce:15.3.0-ce.0' Docker container image; behavior may differ on other deployment types or versions.
  • ·The attacker machine must be network-reachable from the GitLab server to serve the fake GitHub API responses; air-gapped or strictly egress-filtered GitLab deployments may limit exploitability.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
vendor_debian9.9CRITICAL
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.