Lucene search

Veracode Vulnerability DatabaseVERACODE:42361

HistoryAug 06, 2023 - 7:01 p.m.

Authorization Bypass

2023-08-0619:01:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

authorization bypass

validation

branch names

malicious

arbitrary code

vulnerability

exploit

software

6.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

23.0%

JSON

gitlab is vulnerable to Authorization Bypasses. This vulnerability occurs due to insufficient validation of branch names when importing a project. An authenticated and authorized user can exploit this vulnerability to import a project with a malicious branch name that contains 40 hexadecimal characters. This can be used to execute arbitrary code on the GitLab server.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2417.json

gitlab.com/gitlab-org/gitlab/-/issues/361179

security-tracker.debian.org/tracker/CVE-2022-2417

6.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

23.0%

JSON

Related for VERACODE:42361