CVE-2022-4037 — Race Condition in Gitlab

CWE-362 — Race Condition5 documents5 sources

Severity

8.5HIGHNVD

EPSS

0.6%

top 31.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJan 12

Description

An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages5 packages

▶NVDgitlab/gitlab15.6.0 — 15.6.4+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=0.0, <15.5.7, >=15.6, <15.6.4, >=15.7, <15.7.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-8r38-jrwh-8grw: An issue has been discovered in GitLab CE/EE affecting all versions before 15↗2023-01-12

▶

OSV

CVE-2022-4037: An issue has been discovered in GitLab CE/EE affecting all versions before 15↗2023-01-12

▶

📋Vendor Advisories

GitLab

CVE-2022-4037: An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions startin↗2023-01-12

▶

Debian

CVE-2022-4037: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 15.5....↗2022

▶