Vulnerability-Lookup

CVE-2022-1175 (GCVE-0-2022-1175)

Vulnerability from cvelistv5 – Published: 2022-04-04 19:46 – Updated: 2024-08-02 23:55

Summary

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

Severity

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE

Improper neutralization of input during web page generation ('cross-site scripting') in GitLab

Assigner

GitLab

References

4 references

URL	Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/353370	x_refsource_MISC
https://hackerone.com/reports/1481207	x_refsource_MISC
https://gitlab.com/gitlab-org/cves/-/blob/master/…	x_refsource_CONFIRM
http://packetstormsecurity.com/files/166829/Gitla…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
GitLab	GitLab	Affected: >=14.4, <14.7.7 Affected: >=14.8, <14.8.5 Affected: >=14.9, <14.9.2

Credits

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:55:24.361Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1481207"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GitLab",
          "vendor": "GitLab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=14.4, \u003c14.7.7"
            },
            {
              "status": "affected",
              "version": "\u003e=14.8, \u003c14.8.5"
            },
            {
              "status": "affected",
              "version": "\u003e=14.9, \u003c14.9.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in GitLab",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-26T16:06:17.000Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1481207"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@gitlab.com",
          "ID": "CVE-2022-1175",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GitLab",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e=14.4, \u003c14.7.7"
                          },
                          {
                            "version_value": "\u003e=14.8, \u003c14.8.5"
                          },
                          {
                            "version_value": "\u003e=14.9, \u003c14.9.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "GitLab"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in GitLab"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
            },
            {
              "name": "https://hackerone.com/reports/1481207",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1481207"
            },
            {
              "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json",
              "refsource": "CONFIRM",
              "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
            },
            {
              "name": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2022-1175",
    "datePublished": "2022-04-04T19:46:15.000Z",
    "dateReserved": "2022-03-30T00:00:00.000Z",
    "dateUpdated": "2024-08-02T23:55:24.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-1175",
      "date": "2026-06-01",
      "epss": "0.10323",
      "percentile": "0.93312"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\", \"versionStartIncluding\": \"14.4.0\", \"versionEndExcluding\": \"14.7.7\", \"matchCriteriaId\": \"4CA4FC26-1469-446B-8CC9-A4854B179F23\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"14.4.0\", \"versionEndExcluding\": \"14.7.7\", \"matchCriteriaId\": \"66B63514-0A14-4D94-8579-82D6EC061C6F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\", \"versionStartIncluding\": \"14.8.0\", \"versionEndExcluding\": \"14.8.5\", \"matchCriteriaId\": \"723E51BE-5A83-439E-8D37-EACDC4E5E6B2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"14.8.0\", \"versionEndExcluding\": \"14.8.5\", \"matchCriteriaId\": \"B21DB80A-89B0-4821-AACD-A0DB4102C123\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\", \"versionStartIncluding\": \"14.9.0\", \"versionEndExcluding\": \"14.9.2\", \"matchCriteriaId\": \"50473ACF-87F3-4919-A1C8-1C1D3AED7024\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"14.9.0\", \"versionEndExcluding\": \"14.9.2\", \"matchCriteriaId\": \"84DA7B4F-42A6-4940-98D5-3BF151FD3287\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.\"}, {\"lang\": \"es\", \"value\": \"Una neutralizaci\\u00f3n inapropiada de la entrada del usuario en GitLab CE/EE versiones 14.4 anteriores a 14.7.7, todas las versiones a partir de 14.8 anteriores a 14.8.5, todas las versiones a partir de 14.9 anteriores a 14.9.2, permiti\\u00f3 a un atacante explotar un ataque de tipo XSS mediante una inyecci\\u00f3n de HTML en las notas\"}]",
      "id": "CVE-2022-1175",
      "lastModified": "2024-11-21T06:40:11.400",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@gitlab.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2022-04-04T20:15:10.040",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html\", \"source\": \"cve@gitlab.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json\", \"source\": \"cve@gitlab.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://gitlab.com/gitlab-org/gitlab/-/issues/353370\", \"source\": \"cve@gitlab.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://hackerone.com/reports/1481207\", \"source\": \"cve@gitlab.com\", \"tags\": [\"Permissions Required\", \"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://gitlab.com/gitlab-org/gitlab/-/issues/353370\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://hackerone.com/reports/1481207\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@gitlab.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-1175\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2022-04-04T20:15:10.040\",\"lastModified\":\"2024-11-21T06:40:11.400\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.\"},{\"lang\":\"es\",\"value\":\"Una neutralizaci\u00f3n inapropiada de la entrada del usuario en GitLab CE/EE versiones 14.4 anteriores a 14.7.7, todas las versiones a partir de 14.8 anteriores a 14.8.5, todas las versiones a partir de 14.9 anteriores a 14.9.2, permiti\u00f3 a un atacante explotar un ataque de tipo XSS mediante una inyecci\u00f3n de HTML en las notas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"14.4.0\",\"versionEndExcluding\":\"14.7.7\",\"matchCriteriaId\":\"4CA4FC26-1469-446B-8CC9-A4854B179F23\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"14.4.0\",\"versionEndExcluding\":\"14.7.7\",\"matchCriteriaId\":\"66B63514-0A14-4D94-8579-82D6EC061C6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"14.8.0\",\"versionEndExcluding\":\"14.8.5\",\"matchCriteriaId\":\"723E51BE-5A83-439E-8D37-EACDC4E5E6B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"14.8.0\",\"versionEndExcluding\":\"14.8.5\",\"matchCriteriaId\":\"B21DB80A-89B0-4821-AACD-A0DB4102C123\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"14.9.0\",\"versionEndExcluding\":\"14.9.2\",\"matchCriteriaId\":\"50473ACF-87F3-4919-A1C8-1C1D3AED7024\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"14.9.0\",\"versionEndExcluding\":\"14.9.2\",\"matchCriteriaId\":\"84DA7B4F-42A6-4940-98D5-3BF151FD3287\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://gitlab.com/gitlab-org/gitlab/-/issues/353370\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://hackerone.com/reports/1481207\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://gitlab.com/gitlab-org/gitlab/-/issues/353370\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://hackerone.com/reports/1481207\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\"]}]}}"
  }
}

CERTFR-2022-AVI-304

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans les produits GitLab. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à la confidentialité des données et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
GitLab	N/A	GitLab CE/EE versions 14.8.x antérieures à 14.8.5
GitLab	N/A	GitLab CE/EE versions 14.9.x antérieures à 14.9.2
GitLab	N/A	GitLab CE/EE versions 14.7.x antérieures à 14.7.7

References

Title

Publication Time

Tags

Bulletin de sécurité GitLab du 31 mars 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "GitLab CE/EE versions 14.8.x ant\u00e9rieures \u00e0 14.8.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab CE/EE versions 14.9.x ant\u00e9rieures \u00e0 14.9.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab CE/EE versions 14.7.x ant\u00e9rieures \u00e0 14.7.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-1189",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1189"
    },
    {
      "name": "CVE-2022-1148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1148"
    },
    {
      "name": "CVE-2022-1193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1193"
    },
    {
      "name": "CVE-2022-1185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1185"
    },
    {
      "name": "CVE-2022-0740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0740"
    },
    {
      "name": "CVE-2022-1111",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1111"
    },
    {
      "name": "CVE-2022-1099",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1099"
    },
    {
      "name": "CVE-2022-1121",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1121"
    },
    {
      "name": "CVE-2022-1100",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1100"
    },
    {
      "name": "CVE-2022-1162",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1162"
    },
    {
      "name": "CVE-2022-1188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1188"
    },
    {
      "name": "CVE-2022-1174",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1174"
    },
    {
      "name": "CVE-2022-1157",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1157"
    },
    {
      "name": "CVE-2022-1175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1175"
    },
    {
      "name": "CVE-2022-1105",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1105"
    },
    {
      "name": "CVE-2022-1120",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1120"
    },
    {
      "name": "CVE-2022-1190",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1190"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-304",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-04-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les produits GitLab. Elle permet\n\u00e0 un attaquant de provoquer un contournement de la politique de\ns\u00e9curit\u00e9, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une \u00e9l\u00e9vation\nde privil\u00e8ges.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans les produits GitLab",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 GitLab du 31 mars 2022",
      "url": "https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/"
    }
  ]
}

CERTFR-2022-AVI-406

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Gitlab. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
GitLab	N/A	GitLab Community Edition (CE) versions 14.10.x antérieures à 14.10.1
GitLab	N/A	GitLab Community Edition (CE) versions 14.9.x antérieures à 14.9.4
GitLab	N/A	GitLab Community Edition (CE) versions antérieures à 14.8.6
GitLab	N/A	GitLab Enterprise Edition (CE) versions 14.10.x antérieures à 14.10.1
GitLab	N/A	GitLab Enterprise Edition (CE) versions antérieures à 14.8.6
GitLab	N/A	GitLab Enterprise Edition (CE) versions 14.9.x antérieures à 14.9.4

References

Title

Publication Time

Tags

Bulletin de sécurité Gitlab security-release-gitlab-14-10-1-released du 02 mai 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "GitLab Community Edition (CE) versions 14.10.x ant\u00e9rieures \u00e0 14.10.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Community Edition (CE) versions 14.9.x ant\u00e9rieures \u00e0 14.9.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Community Edition (CE) versions ant\u00e9rieures \u00e0 14.8.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Enterprise Edition (CE) versions 14.10.x ant\u00e9rieures \u00e0 14.10.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Enterprise Edition (CE) versions ant\u00e9rieures \u00e0 14.8.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Enterprise Edition (CE) versions 14.9.x ant\u00e9rieures \u00e0 14.9.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-1413",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1413"
    },
    {
      "name": "CVE-2022-1124",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1124"
    },
    {
      "name": "CVE-2022-1428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1428"
    },
    {
      "name": "CVE-2022-1416",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1416"
    },
    {
      "name": "CVE-2022-1433",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1433"
    },
    {
      "name": "CVE-2022-1423",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1423"
    },
    {
      "name": "CVE-2022-1352",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1352"
    },
    {
      "name": "CVE-2022-1510",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1510"
    },
    {
      "name": "CVE-2022-1406",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1406"
    },
    {
      "name": "CVE-2022-1417",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1417"
    },
    {
      "name": "CVE-2022-1460",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1460"
    },
    {
      "name": "CVE-2022-1426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1426"
    },
    {
      "name": "CVE-2022-1175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1175"
    },
    {
      "name": "CVE-2022-1431",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1431"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-406",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-05-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nGitlab. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Gitlab",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Gitlab security-release-gitlab-14-10-1-released du 02 mai 2022",
      "url": "https://about.gitlab.com/releases/2022/05/02/security-release-gitlab-14-10-1-released/"
    }
  ]
}

CERTFR-2022-AVI-304

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
GitLab	N/A	GitLab CE/EE versions 14.8.x antérieures à 14.8.5
GitLab	N/A	GitLab CE/EE versions 14.9.x antérieures à 14.9.2
GitLab	N/A	GitLab CE/EE versions 14.7.x antérieures à 14.7.7

References

Title

Publication Time

Tags

Bulletin de sécurité GitLab du 31 mars 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "GitLab CE/EE versions 14.8.x ant\u00e9rieures \u00e0 14.8.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab CE/EE versions 14.9.x ant\u00e9rieures \u00e0 14.9.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab CE/EE versions 14.7.x ant\u00e9rieures \u00e0 14.7.7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-1189",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1189"
    },
    {
      "name": "CVE-2022-1148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1148"
    },
    {
      "name": "CVE-2022-1193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1193"
    },
    {
      "name": "CVE-2022-1185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1185"
    },
    {
      "name": "CVE-2022-0740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0740"
    },
    {
      "name": "CVE-2022-1111",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1111"
    },
    {
      "name": "CVE-2022-1099",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1099"
    },
    {
      "name": "CVE-2022-1121",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1121"
    },
    {
      "name": "CVE-2022-1100",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1100"
    },
    {
      "name": "CVE-2022-1162",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1162"
    },
    {
      "name": "CVE-2022-1188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1188"
    },
    {
      "name": "CVE-2022-1174",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1174"
    },
    {
      "name": "CVE-2022-1157",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1157"
    },
    {
      "name": "CVE-2022-1175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1175"
    },
    {
      "name": "CVE-2022-1105",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1105"
    },
    {
      "name": "CVE-2022-1120",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1120"
    },
    {
      "name": "CVE-2022-1190",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1190"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-304",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-04-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les produits GitLab. Elle permet\n\u00e0 un attaquant de provoquer un contournement de la politique de\ns\u00e9curit\u00e9, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une \u00e9l\u00e9vation\nde privil\u00e8ges.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans les produits GitLab",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 GitLab du 31 mars 2022",
      "url": "https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/"
    }
  ]
}

CERTFR-2022-AVI-406

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
GitLab	N/A	GitLab Community Edition (CE) versions 14.10.x antérieures à 14.10.1
GitLab	N/A	GitLab Community Edition (CE) versions 14.9.x antérieures à 14.9.4
GitLab	N/A	GitLab Community Edition (CE) versions antérieures à 14.8.6
GitLab	N/A	GitLab Enterprise Edition (CE) versions 14.10.x antérieures à 14.10.1
GitLab	N/A	GitLab Enterprise Edition (CE) versions antérieures à 14.8.6
GitLab	N/A	GitLab Enterprise Edition (CE) versions 14.9.x antérieures à 14.9.4

References

Title

Publication Time

Tags

Bulletin de sécurité Gitlab security-release-gitlab-14-10-1-released du 02 mai 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "GitLab Community Edition (CE) versions 14.10.x ant\u00e9rieures \u00e0 14.10.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Community Edition (CE) versions 14.9.x ant\u00e9rieures \u00e0 14.9.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Community Edition (CE) versions ant\u00e9rieures \u00e0 14.8.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Enterprise Edition (CE) versions 14.10.x ant\u00e9rieures \u00e0 14.10.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Enterprise Edition (CE) versions ant\u00e9rieures \u00e0 14.8.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    },
    {
      "description": "GitLab Enterprise Edition (CE) versions 14.9.x ant\u00e9rieures \u00e0 14.9.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "GitLab",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-1413",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1413"
    },
    {
      "name": "CVE-2022-1124",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1124"
    },
    {
      "name": "CVE-2022-1428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1428"
    },
    {
      "name": "CVE-2022-1416",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1416"
    },
    {
      "name": "CVE-2022-1433",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1433"
    },
    {
      "name": "CVE-2022-1423",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1423"
    },
    {
      "name": "CVE-2022-1352",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1352"
    },
    {
      "name": "CVE-2022-1510",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1510"
    },
    {
      "name": "CVE-2022-1406",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1406"
    },
    {
      "name": "CVE-2022-1417",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1417"
    },
    {
      "name": "CVE-2022-1460",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1460"
    },
    {
      "name": "CVE-2022-1426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1426"
    },
    {
      "name": "CVE-2022-1175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1175"
    },
    {
      "name": "CVE-2022-1431",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1431"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-406",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-05-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nGitlab. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Gitlab",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Gitlab security-release-gitlab-14-10-1-released du 02 mai 2022",
      "url": "https://about.gitlab.com/releases/2022/05/02/security-release-gitlab-14-10-1-released/"
    }
  ]
}

BDU:2022-02365

Vulnerability from fstec - Published: 31.03.2022

Title

Уязвимость программной платформы на базе git для совместной работы над кодом GitLab, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки

Description

Уязвимость программной платформы на базе git для совместной работы над кодом GitLab связана с непринятием мер по защите структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, проводить межсайтовые сценарные атаки

Severity


                    
                      AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Vendor

GitLab Inc.

Software Name

Gitlab

Software Version

от 14.8 до 14.8.5 (Gitlab), от 14.9 до 14.9.2 (Gitlab), от 14.4 до 14.7.7 (Gitlab)

Possible Mitigations

Использование рекомендаций: https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/

Reference

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json https://hackerone.com/reports/1481207 https://nvd.nist.gov/vuln/detail/CVE-2022-1175 https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/

CWE

CWE-79

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:C/I:C/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "GitLab Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 14.8 \u0434\u043e 14.8.5 (Gitlab), \u043e\u0442 14.9 \u0434\u043e 14.9.2 (Gitlab), \u043e\u0442 14.4 \u0434\u043e 14.7.7 (Gitlab)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "31.03.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "18.04.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "18.04.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-02365",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-1175",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Gitlab",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u043d\u0430 \u0431\u0430\u0437\u0435 git \u0434\u043b\u044f \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0439 \u0440\u0430\u0431\u043e\u0442\u044b \u043d\u0430\u0434 \u043a\u043e\u0434\u043e\u043c GitLab, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b (\u0438\u043b\u0438 \\\u00ab\u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u0430\u044f \u0430\u0442\u0430\u043a\u0430\\\u00bb) (CWE-79)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u043d\u0430 \u0431\u0430\u0437\u0435 git \u0434\u043b\u044f \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0439 \u0440\u0430\u0431\u043e\u0442\u044b \u043d\u0430\u0434 \u043a\u043e\u0434\u043e\u043c GitLab \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json\t\nhttps://hackerone.com/reports/1481207\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1175\nhttps://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-79",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,7)"
}

bit-gitlab-2022-1175

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:16

Modified

2025-04-03 14:40

Summary

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "gitlab",
        "purl": "pkg:bitnami/gitlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.4.0"
            },
            {
              "fixed": "14.7.7"
            },
            {
              "introduced": "14.8.0"
            },
            {
              "fixed": "14.8.5"
            },
            {
              "introduced": "14.9.0"
            },
            {
              "fixed": "14.9.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1175"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.",
  "id": "BIT-gitlab-2022-1175",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T11:16:18.710Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1481207"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1175"
    }
  ],
  "schema_version": "1.5.0"
}

FKIE_CVE-2022-1175

Vulnerability from fkie_nvd - Published: 2022-04-04 20:15 - Updated: 2024-11-21 06:40

Severity

8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cve@gitlab.com	http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html	Third Party Advisory, VDB Entry
cve@gitlab.com	https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json	Vendor Advisory
cve@gitlab.com	https://gitlab.com/gitlab-org/gitlab/-/issues/353370	Broken Link
cve@gitlab.com	https://hackerone.com/reports/1481207	Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://gitlab.com/gitlab-org/gitlab/-/issues/353370	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://hackerone.com/reports/1481207	Permissions Required, Third Party Advisory

Impacted products

Vendor	Product	Version
gitlab	gitlab	*
gitlab	gitlab	*
gitlab	gitlab	*
gitlab	gitlab	*
gitlab	gitlab	*
gitlab	gitlab	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "4CA4FC26-1469-446B-8CC9-A4854B179F23",
              "versionEndExcluding": "14.7.7",
              "versionStartIncluding": "14.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "66B63514-0A14-4D94-8579-82D6EC061C6F",
              "versionEndExcluding": "14.7.7",
              "versionStartIncluding": "14.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "723E51BE-5A83-439E-8D37-EACDC4E5E6B2",
              "versionEndExcluding": "14.8.5",
              "versionStartIncluding": "14.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "B21DB80A-89B0-4821-AACD-A0DB4102C123",
              "versionEndExcluding": "14.8.5",
              "versionStartIncluding": "14.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "50473ACF-87F3-4919-A1C8-1C1D3AED7024",
              "versionEndExcluding": "14.9.2",
              "versionStartIncluding": "14.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "84DA7B4F-42A6-4940-98D5-3BF151FD3287",
              "versionEndExcluding": "14.9.2",
              "versionStartIncluding": "14.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes."
    },
    {
      "lang": "es",
      "value": "Una neutralizaci\u00f3n inapropiada de la entrada del usuario en GitLab CE/EE versiones 14.4 anteriores a 14.7.7, todas las versiones a partir de 14.8 anteriores a 14.8.5, todas las versiones a partir de 14.9 anteriores a 14.9.2, permiti\u00f3 a un atacante explotar un ataque de tipo XSS mediante una inyecci\u00f3n de HTML en las notas"
    }
  ],
  "id": "CVE-2022-1175",
  "lastModified": "2024-11-21T06:40:11.400",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "cve@gitlab.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-04-04T20:15:10.040",
  "references": [
    {
      "source": "cve@gitlab.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
    },
    {
      "source": "cve@gitlab.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
    },
    {
      "source": "cve@gitlab.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
    },
    {
      "source": "cve@gitlab.com",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1481207"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1481207"
    }
  ],
  "sourceIdentifier": "cve@gitlab.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-9FWV-MVPV-QRH4

Vulnerability from github – Published: 2022-04-05 00:00 – Updated: 2022-04-12 00:00

Details

Severity

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-1175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-04T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.",
  "id": "GHSA-9fwv-mvpv-qrh4",
  "modified": "2022-04-12T00:00:50Z",
  "published": "2022-04-05T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1175"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1481207"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2022-1175

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-1175

Aliases

CVE-2022-1175

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-1175",
    "description": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.",
    "id": "GSD-2022-1175",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2022-1175"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-1175"
      ],
      "details": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.",
      "id": "GSD-2022-1175",
      "modified": "2023-12-13T01:19:28.178240Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@gitlab.com",
        "ID": "CVE-2022-1175",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "GitLab",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e=14.4, \u003c14.7.7"
                        },
                        {
                          "version_value": "\u003e=14.8, \u003c14.8.5"
                        },
                        {
                          "version_value": "\u003e=14.9, \u003c14.9.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "GitLab"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in GitLab"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370",
            "refsource": "MISC",
            "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
          },
          {
            "name": "https://hackerone.com/reports/1481207",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/1481207"
          },
          {
            "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json",
            "refsource": "CONFIRM",
            "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
          },
          {
            "name": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.9.2",
                "versionStartIncluding": "14.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.9.2",
                "versionStartIncluding": "14.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.8.5",
                "versionStartIncluding": "14.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.8.5",
                "versionStartIncluding": "14.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.7.7",
                "versionStartIncluding": "14.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.7.7",
                "versionStartIncluding": "14.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@gitlab.com",
          "ID": "CVE-2022-1175"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json"
            },
            {
              "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370",
              "refsource": "MISC",
              "tags": [
                "Broken Link"
              ],
              "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353370"
            },
            {
              "name": "https://hackerone.com/reports/1481207",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Third Party Advisory"
              ],
              "url": "https://hackerone.com/reports/1481207"
            },
            {
              "name": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-05-10T16:00Z",
      "publishedDate": "2022-04-04T20:15Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-1175 (GCVE-0-2022-1175)

Solution

Solution

Solution

Solution

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature