CVE-2022-2227

2022-07-0115:53:58

GitLab

www.cve.org

gitlab

access control

api

cve-2022-2227

security vulnerability

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

29.6%

JSON

Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions

CNA Affected

[
  {
    "product": "GitLab",
    "vendor": "GitLab",
    "versions": [
      {
        "status": "affected",
        "version": "<14.10.5"
      },
      {
        "status": "affected",
        "version": ">=15.0, <15.0.4"
      },
      {
        "status": "affected",
        "version": ">=15.1, <15.1.1"
      }
    ]
  }
]