cve-2022-0154
Vulnerability from cvelistv5
Published
2022-01-18 16:52
Modified
2024-08-02 23:18
Severity
Summary
An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.
References
| Source | URL | Tags |
|---|---|---|
| cve@gitlab.com | https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0154.json | Third Party Advisory |
| cve@gitlab.com | https://gitlab.com/gitlab-org/gitlab/-/issues/29580 | Broken Link |
| cve@gitlab.com | https://hackerone.com/reports/605576 | Permissions Required |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.740Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/29580"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/605576"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0154.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003e=7.7, \u003c14.4.5"
},
{
"status": "affected",
"version": "\u003e=14.5.0, \u003c14.5.3"
},
{
"status": "affected",
"version": "\u003e=14.6.0, \u003c14.6.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks @aryan2808 for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery (csrf) in GitLab",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-18T16:52:04",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/29580"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/605576"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0154.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2022-0154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab",
"version": {
"version_data": [
{
"version_value": "\u003e=7.7, \u003c14.4.5"
},
{
"version_value": "\u003e=14.5.0, \u003c14.5.3"
},
{
"version_value": "\u003e=14.6.0, \u003c14.6.2"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks @aryan2808 for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery (csrf) in GitLab"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/29580",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/29580"
},
{
"name": "https://hackerone.com/reports/605576",
"refsource": "MISC",
"url": "https://hackerone.com/reports/605576"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0154.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0154.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2022-0154",
"datePublished": "2022-01-18T16:52:04",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-08-02T23:18:41.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-0154\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2022-01-18T17:15:10.110\",\"lastModified\":\"2022-01-26T16:15:27.597\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema en GitLab que afecta a todas las versiones a partir de la 7.7 anteriores a 14.4.5, a todas las versiones a partir de la 14.5.0 anteriores a 14.5.3, a todas las versiones a partir de la 14.6.0 anteriores a 14.6.2. GitLab era vulnerable a un ataque de tipo Cross-Site Request Forgery que permite a un usuario malicioso importar su proyecto de GitHub en otra cuenta de usuario de GitLab\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9},{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"7.7\",\"versionEndExcluding\":\"14.4.5\",\"matchCriteriaId\":\"7B49BE59-FBD6-4D95-AEEE-DD84A3A710CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"7.7\",\"versionEndExcluding\":\"14.4.5\",\"matchCriteriaId\":\"A76D8B85-1335-4970-8FED-5227375E9207\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"14.5.0\",\"versionEndExcluding\":\"14.5.3\",\"matchCriteriaId\":\"F4792D58-0D9A-43E6-879B-8DC10289BBED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"14.5.0\",\"versionEndExcluding\":\"14.5.3\",\"matchCriteriaId\":\"2E89DBD2-9B16-4842-B103-B2B4096C046F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"14.6.0\",\"versionEndExcluding\":\"14.6.2\",\"matchCriteriaId\":\"3881FF6F-04B1-4780-A445-8FD3C5E70211\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"14.6.0\",\"versionEndExcluding\":\"14.6.2\",\"matchCriteriaId\":\"404671C6-4722-446A-B0B3-BA551FEAA4FC\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0154.json\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://gitlab.com/gitlab-org/gitlab/-/issues/29580\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://hackerone.com/reports/605576\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Permissions Required\"]}]}}"
}
}
Loading...