CVE-2022-2326

2022-08-0516:15:11

CWE-863

[email protected]

web.nvd.nist.gov

gitlab

unauthorized access

private projects

email invite

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS

0.002

Percentile

54.7%

JSON

An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through an email invite by using other user’s email address as an unverified secondary email.

Affected configurations

Nvd

Node

gitlabgitlabRange<15.0.5enterprise

gitlabgitlabRange15.1.0–15.1.4enterprise

gitlabgitlabMatch15.2enterprise

Node

gitlabgitlabRange<15.0.5community

gitlabgitlabRange15.1.0–15.1.4community

gitlabgitlabMatch15.2enterprise

VendorProductVersionCPE
gitlabgitlab*cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
gitlabgitlab15.2cpe:2.3:a:gitlab:gitlab:15.2:*:*:*:enterprise:*:*:*
gitlabgitlab*cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

Vendor	Product	Version	CPE
gitlab	gitlab	*	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
gitlab	gitlab	15.2	cpe:2.3:a:gitlab:gitlab:15.2::::enterprise:::
gitlab	gitlab	*	cpe:2.3:a:gitlab:gitlab:::::community:::*