CVE-2022-3726 — Gitlab vulnerability

5 documents5 sources

Severity

9.0CRITICALNVD

EPSS

0.3%

top 43.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedNov 10

Description

Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages5 packages

▶NVDgitlab/gitlab12.6.0 — 15.3.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=12.6, <15.3.5, >=15.4, <15.4.4, >=15.5, <15.5.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-75cm-h3qp-7jq4: Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12↗2022-11-10

▶

OSV

CVE-2022-3726: Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12↗2022-11-10

▶

📋Vendor Advisories

GitLab

CVE-2022-3726: Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.↗2022-11-10

▶

Debian

CVE-2022-3726: gitlab - Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions ...↗2022

▶