CVE-2022-4335 — Server-Side Request Forgery in Gitlab

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 41.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedJan 27

Description

A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab15.5.0 — 15.5.5+2

▶CVEListV5gitlab/gitlab<15.4.6, >=15.5, <15.5.5, >=15.6, <15.6.1+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-g3jp-2gfc-xjq6: A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15↗2023-01-27

▶

📋Vendor Advisories

GitLab

CVE-2022-4335: A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an↗2023-01-27

▶

Debian

CVE-2022-4335: gitlab - A blind SSRF vulnerability was identified in all versions of GitLab EE prior to ...↗2022

▶