CVE-2022-3572 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

10.2%

top 6.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJan 26

Description

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDgitlab/gitlab13.5.0 — 15.4.6+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=13.5, <15.4.6, >=15.5, <15.5.5, >=15.6, <15.6.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-6gf9-9hhg-h494: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13↗2023-01-26

▶

OSV

CVE-2022-3572: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13↗2023-01-26

▶

📋Vendor Advisories

GitLab

CVE-2022-3572: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prio↗2023-01-26

▶

Oracle

Oracle Oracle Communications Risk Matrix: Policy (Package Installer for Python) — CVE-2021-3572↗2022-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: OC-CNE (python-pip) — CVE-2021-3572↗2022-04-15

▶

Debian

CVE-2022-3572: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v...↗2022

▶