CVE-2022-3767

CWE-20 — Improper Input Validation CWE-8236 documents6 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 55.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Dynamic Application Security Testing Analyzer Gitlab Dast

Timeline

PublishedMar 9

Latest updateMar 10

Description

Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

▶NVDgitlab/dynamic_application_security_testing_analyzer1.11.0 — 3.0.32

▶CVEListV5gitlab/dast>=1.11, <3.0.32

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-5xvv-4r9w-mw22: Missing validation in DAST analyzer affecting all versions from 1↗2023-03-10

▶

CVEList

CVE-2022-3767: Missing validation in DAST analyzer affecting all versions from 1↗2023-03-09

▶

OSV

CVE-2022-3767: Missing validation in DAST analyzer affecting all versions from 1↗2023-03-09

▶

📋Vendor Advisories

Debian

CVE-2022-3767: gitlab - Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to ...↗2022

▶