CVE Vulnerability

CVE-2022-4054

An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers.

5.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://hackerone.com/reports/1758126 Permissions Required Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/382260 Exploit Issue Tracking
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4054.json Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:gitlab:gitlab:15.6.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:15.6.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
Information

Published : 2023-01-26 09:18

Updated : 2023-02-01 05:22

NVD link : CVE-2022-4054

Mitre link : CVE-2022-4054

Products Affected
No products.
CWE
NVD-CWE-noinfo