CVE-2022-4143 — Time-of-check Time-of-use (TOCTOU) Race Condition in Gitlab

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition CWE-125 — Out-of-bounds Read6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 56.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedJun 28

Description

An issue has been discovered in GitLab affecting all versions starting from 15.7 before 15.8.5, from 15.9 before 15.9.4, and from 15.10 before 15.10.1 that allows for crafted, unapproved MRs to be introduced and merged without authorization

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages4 packages

▶NVDgitlab/gitlab15.7.0 — 15.8.5+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=15.10, <15.10.1, >=15.7, <15.8.5, >=15.9, <15.9.4+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

OSV

CVE-2022-4143: An issue has been discovered in GitLab affecting all versions starting from 15↗2023-06-28

▶

GHSA

GHSA-9xhf-gx34-9q2g: An issue has been discovered in GitLab affecting all versions starting from 15↗2023-06-28

▶

📋Vendor Advisories

GitLab

CVE-2022-4143: An issue has been discovered in GitLab affecting all versions starting from 15.7 before 15.8.5, from 15.9 before 15.9.4, and from 15.10 before 15.10.1↗2023-06-28

▶

Red Hat

hw: Intel: Out-of-bounds read in firmware for Integrated Sensor Solution↗2023-02-14

▶

Debian

CVE-2022-4143: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.7...↗2022

▶