CVE-2022-1406

EPSS 0.22%
Veröffentlicht 11.05.2022 15:15:08
Zuletzt bearbeitet 21.11.2024 06:40:40
Quelle cve@gitlab.com
CVE-Watchlists
Login
Unerledigt
Login

Improper input validation in GitLab CE/EE affecting all versions from 8.12 prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0 allows a Developer to read protected Group or Project CI/CD variables by importing a malicious project

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gitlab ≫ Gitlab SwEditioncommunity Version >= 8.12.0 < 14.8.6

Gitlab ≫ Gitlab SwEditionenterprise Version >= 8.12.0 < 14.8.6

Gitlab ≫ Gitlab SwEditioncommunity Version >= 14.9.0 < 14.9.4

Gitlab ≫ Gitlab SwEditionenterprise Version >= 14.9.0 < 14.9.4

Gitlab ≫ Gitlab Version14.10.0 SwEditioncommunity

Gitlab ≫ Gitlab Version14.10.0 SwEditionenterprise

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.44

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
cve@gitlab.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1406.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/353958

Broken Link

https://hackerone.com/reports/1485381

Third Party Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-1406

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1406

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1406

EUVD