CVE-2022-3413 — Authorization Bypass Through User-Controlled Key in Gitlab

CWE-639 — Authorization Bypass Through User-Controlled Key CWE-863 — Incorrect Authorization5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 60.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedNov 10

Description

Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab14.5.0 — 15.3.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.5, <15.3.5, >=15.4, <15.4.4, >=15.5, <15.5.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

OSV

CVE-2022-3413: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14↗2022-11-10

▶

GHSA

GHSA-9672-4fh3-mcfg: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14↗2022-11-10

▶

📋Vendor Advisories

GitLab

CVE-2022-3413: Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 p↗2022-11-10

▶

Debian

CVE-2022-3413: gitlab - Incorrect authorization during display of Audit Events in GitLab EE affecting al...↗2022

▶