cve-2022-2228
Vulnerability from cvelistv5
Published
2022-07-01 16:08
Modified
2024-08-03 00:32
Severity
5.3 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range
References
SourceURLTags
cve@gitlab.comhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2228.jsonVendor Advisory
cve@gitlab.comhttps://gitlab.com/gitlab-org/security/gitlab/-/issues/682Permissions Required, Vendor Advisory
Impacted products
VendorProduct
GitLabGitLab
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:32:09.424Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/682"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2228.json"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GitLab",
          "vendor": "GitLab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=12.0, \u003c14.10.5"
            },
            {
              "status": "affected",
              "version": "\u003e=15.0, \u003c15.0.4"
            },
            {
              "status": "affected",
              "version": "\u003e=15.1, \u003c15.1.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This vulnerability has been discovered internally by the GitLab team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information exposure in GitLab",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-01T16:08:11",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/682"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2228.json"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@gitlab.com",
          "ID": "CVE-2022-2228",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GitLab",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e=12.0, \u003c14.10.5"
                          },
                          {
                            "version_value": "\u003e=15.0, \u003c15.0.4"
                          },
                          {
                            "version_value": "\u003e=15.1, \u003c15.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "GitLab"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This vulnerability has been discovered internally by the GitLab team"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information exposure in GitLab"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/682",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/682"
            },
            {
              "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2228.json",
              "refsource": "CONFIRM",
              "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2228.json"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2022-2228",
    "datePublished": "2022-07-01T16:08:11",
    "dateReserved": "2022-06-27T00:00:00",
    "dateUpdated": "2024-08-03T00:32:09.424Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-2228\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2022-07-01T17:15:07.437\",\"lastModified\":\"2022-07-13T18:43:45.920\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range\"},{\"lang\":\"es\",\"value\":\"Una exposici\u00f3n de informaci\u00f3n en GitLab EE afectando a todas las versiones desde la 12.0 anteriores a 14.10.5, la 15.0 anteriores a 15.0.4 y la 15.1 anteriores a 15.1.1 permite a un atacante con los tokens de acceso apropiados obtener variables de CI en un grupo con el uso de restricciones de acceso basadas en IP, incluso si el GitLab Runner est\u00e1 llamando desde fuera del rango de IP permitido\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"14.10.5\",\"matchCriteriaId\":\"1BC6759B-67CB-457D-9E3A-87D9CFA1D370\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"15.0.0\",\"versionEndExcluding\":\"15.0.4\",\"matchCriteriaId\":\"18F6B2F9-8BDA-41C7-8152-70D61CCCC0B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:15.1.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"E07D39FA-8428-4585-9A4C-55D2A1799F9E\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2228.json\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://gitlab.com/gitlab-org/security/gitlab/-/issues/682\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.