CVE-2022-3413
published 2022-11-10CVE-2022-3413: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.46%
36.6th percentile
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 14.5.0 < 15.3.5 | 15.3.5 |
| gitlab | gitlab | >= 15.4.0 < 15.4.4 | 15.4.4 |
| gitlab | gitlab | >= 15.5.0 < 15.5.2 | 15.5.2 |
| gitlab | gitlab_ee | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-3413: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14
osv·2022-11-10·CVSS 4.3
CVE-2022-3413 [MEDIUM] CVE-2022-3413: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.
GHSA
GHSA-9672-4fh3-mcfg: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14
ghsa_unreviewed·2022-11-10
CVE-2022-3413 [MEDIUM] CWE-639 GHSA-9672-4fh3-mcfg: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.
GitLab
CVE-2022-3413: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 p
vendor_gitlab·2022-11-10·CVSS 4.3
CVE-2022-3413 [MEDIUM] CWE-639 CVE-2022-3413: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 p
CVE-2022-3413: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.
Debian
CVE-2022-3413: gitlab - Incorrect authorization during display of Audit Events in GitLab EE affecting al...
vendor_debian·2022·CVSS 4.3
CVE-2022-3413 [MEDIUM] CVE-2022-3413: gitlab - Incorrect authorization during display of Audit Events in GitLab EE affecting al...
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3413.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/374926https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3413.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/374926https://gitlab.com/gitlab-org/gitlab/-/issues/374926
2022-11-10
Published