CVE-2022-3288 — Modification of Assumed-Immutable Data in Gitlab

CWE-471 — Modification of Assumed-Immutable Data5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 63.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedOct 17

Description

A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab15.3 — 15.3.4+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab<15.2.5, >=15.3, <15.3.4, >=15.4, <15.4.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-q9g6-jf2g-r26w: A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15↗2022-10-17

▶

OSV

CVE-2022-3288: A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15↗2022-10-17

▶

📋Vendor Advisories

GitLab

CVE-2022-3288: A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker↗2022-10-17

▶

Debian

CVE-2022-3288: gitlab - A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2...↗2022

▶