5.4

CVE-2022-1416

Exploit
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GitlabGitlab SwEditioncommunity Version >= 1.0.2 < 14.8.6
GitlabGitlab SwEditionenterprise Version >= 1.0.2 < 14.8.6
GitlabGitlab SwEditioncommunity Version >= 14.9.0 < 14.9.4
GitlabGitlab SwEditionenterprise Version >= 14.9.0 < 14.9.4
GitlabGitlab Version14.10.0 SwEditioncommunity
GitlabGitlab Version14.10.0 SwEditionenterprise
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.23% 0.462
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
cve@gitlab.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://gitlab.com/gitlab-org/gitlab/-/issues/342988
Third Party Advisory
Exploit
Issue Tracking
Technical Description
https://hackerone.com/reports/1362405
Third Party Advisory
Permissions Required