CVE-2022-3706 — Gitlab vulnerability

5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 62.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedNov 10

Description

Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab7.14.0 — 15.3.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=15.4, <15.4.4, >=15.5, <15.5.2, >=7.14, <15.3.5+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

OSV

CVE-2022-3706: Improper authorization in GitLab CE/EE affecting all versions from 7↗2022-11-10

▶

GHSA

GHSA-q35c-75fc-6v95: Improper authorization in GitLab CE/EE affecting all versions from 7↗2022-11-10

▶

📋Vendor Advisories

GitLab

CVE-2022-3706: Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user↗2022-11-10

▶

Debian

CVE-2022-3706: gitlab - Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to...↗2022

▶