cbcvebase.
CVE-2022-2992
published 2022-10-17

CVE-2022-2992: A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve…

PriorityP186critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
86.19%
99.7th percentile
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 11.10 < 15.1.615.1.6
gitlabgitlab>= 15.2 < 15.2.415.2.4
gitlabgitlab>= 15.3 < 15.3.215.3.2
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

  • The attack targets the GitLab 'Import from GitHub' API endpoint; monitor for authenticated POST requests to this endpoint originating from unexpected or attacker-controlled GitHub server addresses.
  • Look for Redis serialization protocol (RESP) payloads appearing in the `default_branch` field of GitHub API responses received by GitLab; this is the injection vector for the deserialization chain.
  • A Metasploit module exists for this CVE (gitlab_github_import_rce_cve_2022_2992); signature-based detection of this module's traffic patterns (e.g., via IDS/WAF rules) should be considered.
  • ·Exploitation requires an authenticated GitLab user; unauthenticated access alone is insufficient to trigger the vulnerability.
  • ·Affected versions span a wide range (11.10 up to 15.3.2); ensure patching covers all three affected branches: prior to 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2.
  • ·The deserialization occurs during session loading after the malicious Redis object is cached, meaning the RCE trigger is deferred and may not be immediately correlated with the import request.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
cisa7.8HIGH
vendor_debian9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.