CVE-2022-2417

2022-08-0516:15:11

Google

osv.dev

6.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

4.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.0%

JSON

Insufficient validation in GitLab CE/EE affecting all versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project.

CPENameOperatorVersion
gitlabeq6.4.3
gitlabeq9.2.0.pre
gitlabeq6.8.0-ee
gitlabeq8.12.0-rc3
gitlabeq6.6.0
gitlabeq7.2.0.rc5
gitlabeq8.12.0-rc6
gitlabeq2.4.1
gitlabeq9.1.0.pre
gitlabeq8.11.0-ee

Name	Operator	Version
gitlab	eq	6.4.3
gitlab	eq	9.2.0.pre
gitlab	eq	6.8.0-ee
gitlab	eq	8.12.0-rc3
gitlab	eq	6.6.0
gitlab	eq	7.2.0.rc5
gitlab	eq	8.12.0-rc6
gitlab	eq	2.4.1
gitlab	eq	9.1.0.pre
gitlab	eq	8.11.0-ee