CVE-2022-0123 (GCVE-0-2022-0123)
Vulnerability from cvelistv5 – Published: 2022-03-28 18:53 – Updated: 2024-08-02 23:18
VLAI?
Summary
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services.
Severity ?
5.9 (Medium)
CWE
- Channel accessible by non-endpoint ('man-in-the-middle') in GitLab
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
This vulnerability has been discovered internally by the GitLab team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.713Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/296632"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003c14.4.5"
},
{
"status": "affected",
"version": "\u003e=14.5.0, \u003c14.5.3"
},
{
"status": "affected",
"version": "\u003e=14.6.0, \u003c14.6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Channel accessible by non-endpoint (\u0027man-in-the-middle\u0027) in GitLab",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-28T18:53:06",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/296632"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2022-0123",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab",
"version": {
"version_data": [
{
"version_value": "\u003c14.4.5"
},
{
"version_value": "\u003e=14.5.0, \u003c14.5.3"
},
{
"version_value": "\u003e=14.6.0, \u003c14.6.1"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Channel accessible by non-endpoint (\u0027man-in-the-middle\u0027) in GitLab"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/296632",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/296632"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2022-0123",
"datePublished": "2022-03-28T18:53:06",
"dateReserved": "2022-01-05T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"14.4.5\", \"matchCriteriaId\": \"4F63AB5F-A74D-4549-9D70-624BB8D14BF1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"14.5.0\", \"versionEndExcluding\": \"14.5.3\", \"matchCriteriaId\": \"7E06B612-B21F-4464-AF54-27EB09594216\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"14.6.0\", \"versionEndExcluding\": \"14.6.1\", \"matchCriteriaId\": \"6705A81F-BEB2-4F46-B3B4-252DAA706755\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services.\"}, {\"lang\": \"es\", \"value\": \"Se ha detectado un problema afectando las versiones de GitLab anteriores a 14.4.5, entre la 14.5.0 y la 14.5.3, y entre la 14.6.0 y la 14.6.1. GitLab no comprueba los certificados SSL para algunos de los servicios externos de CI, lo que hace posible llevar a cabo ataques MitM en las conexiones a estos servicios externos\"}]",
"id": "CVE-2022-0123",
"lastModified": "2024-11-21T06:37:57.237",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@gitlab.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.7, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:N\", \"baseScore\": 4.9, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2022-03-28T19:15:08.147",
"references": "[{\"url\": \"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json\", \"source\": \"cve@gitlab.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://gitlab.com/gitlab-org/gitlab/-/issues/296632\", \"source\": \"cve@gitlab.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://gitlab.com/gitlab-org/gitlab/-/issues/296632\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}]",
"sourceIdentifier": "cve@gitlab.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-295\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-0123\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2022-03-28T19:15:08.147\",\"lastModified\":\"2024-11-21T06:37:57.237\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema afectando las versiones de GitLab anteriores a 14.4.5, entre la 14.5.0 y la 14.5.3, y entre la 14.6.0 y la 14.6.1. GitLab no comprueba los certificados SSL para algunos de los servicios externos de CI, lo que hace posible llevar a cabo ataques MitM en las conexiones a estos servicios externos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.7,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:N\",\"baseScore\":4.9,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"14.4.5\",\"matchCriteriaId\":\"4F63AB5F-A74D-4549-9D70-624BB8D14BF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.5.0\",\"versionEndExcluding\":\"14.5.3\",\"matchCriteriaId\":\"7E06B612-B21F-4464-AF54-27EB09594216\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.6.0\",\"versionEndExcluding\":\"14.6.1\",\"matchCriteriaId\":\"6705A81F-BEB2-4F46-B3B4-252DAA706755\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://gitlab.com/gitlab-org/gitlab/-/issues/296632\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0123.json\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://gitlab.com/gitlab-org/gitlab/-/issues/296632\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…