CVE Vulnerability

CVE-2022-2992

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

9.9 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json Third Party Advisory
https://hackerone.com/reports/1679624 Permissions Required Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/371884 Broken Link Third Party Advisory
http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html
Configurations

Configuration 1

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Information

Published : 2022-10-17 04:15

Updated : 2023-02-15 08:15

NVD link : CVE-2022-2992

Mitre link : CVE-2022-2992

Products Affected
No products.
CWE
CWE-77