CVE-2022-2992
published 2022-10-17CVE-2022-2992: A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve…
PriorityP186critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
86.19%
99.7th percentile
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 11.10 < 15.1.6 | 15.1.6 |
| gitlab | gitlab | >= 15.2 < 15.2.4 | 15.2.4 |
| gitlab | gitlab | >= 15.3 < 15.3.2 | 15.3.2 |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The attack targets the GitLab 'Import from GitHub' API endpoint; monitor for authenticated POST requests to this endpoint originating from unexpected or attacker-controlled GitHub server addresses. ↗
- →Look for Redis serialization protocol (RESP) payloads appearing in the `default_branch` field of GitHub API responses received by GitLab; this is the injection vector for the deserialization chain. ↗
- →A Metasploit module exists for this CVE (gitlab_github_import_rce_cve_2022_2992); signature-based detection of this module's traffic patterns (e.g., via IDS/WAF rules) should be considered. ↗
- ·Exploitation requires an authenticated GitLab user; unauthenticated access alone is insufficient to trigger the vulnerability. ↗
- ·Affected versions span a wide range (11.10 up to 15.3.2); ensure patching covers all three affected branches: prior to 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2. ↗
- ·The deserialization occurs during session loading after the malicious Redis object is cached, meaning the RCE trigger is deferred and may not be immediately correlated with the import request. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
cisa7.8HIGH
vendor_debian9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m7f3-552r-pf23: A vulnerability in GitLab CE/EE affecting all versions from 11
ghsa_unreviewed·2022-10-17
CVE-2022-2992 [HIGH] CWE-74 GHSA-m7f3-552r-pf23: A vulnerability in GitLab CE/EE affecting all versions from 11
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
OSV
CVE-2022-2992: A vulnerability in GitLab CE/EE affecting all versions from 11
osv·2022-10-17·CVSS 9.9
CVE-2022-2992 [CRITICAL] CVE-2022-2992: A vulnerability in GitLab CE/EE affecting all versions from 11
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
GitLab
CVE-2022-2992: A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achi
vendor_gitlab·2022-10-17·CVSS 9.9
CVE-2022-2992 [CRITICAL] CWE-74 CVE-2022-2992: A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achi
CVE-2022-2992: A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
CISA
Adobe Reader and Acrobat Input Validation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2008-2992 [HIGH] CWE-119 Adobe Reader and Acrobat Input Validation Vulnerability
Vulnerability: Adobe Reader and Acrobat Input Validation Vulnerability
Affected: Adobe Acrobat and Reader
Adobe Acrobat and Reader contain an input validation issue in a JavaScript method that could potentially lead to remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2008-2992
Remediation Due Date: 2022-03-24
Debian
CVE-2022-2992: gitlab - A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1....
vendor_debian·2022·CVSS 9.9
CVE-2022-2992 [CRITICAL] CVE-2022-2992: gitlab - A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1....
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.htmlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/371884https://hackerone.com/reports/1679624http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.htmlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/371884https://hackerone.com/reports/1679624
2022-10-17
Published