Lucene search

Veracode Vulnerability DatabaseVERACODE:41455

HistoryJul 22, 2023 - 5:00 a.m.

Authorization Bypass

2023-07-2205:00:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab vulnerability malicious maintainer exfiltrate github integration access token authenticated requests attacker controlled server

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

35.1%

JSON

gitlab is vulnerable to Authorization Bypasses. A malicious maintainer could exfiltrate a GitHub integration’s access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2882.json

gitlab.com/gitlab-org/gitlab/-/issues/371082

hackerone.com/reports/1656722

security-tracker.debian.org/tracker/CVE-2022-2882

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

35.1%

JSON

Related for VERACODE:41455