PT-2022-15828 · Gitlab · Gitlab Ce/Ee+1
The Jihu
·
Published
2022-08-05
·
Updated
2024-03-06
·
CVE-2022-2307
CVSS v3.1
3.8
Low
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
GitLab CE/EE versions 13.0 through 15.0.5
GitLab CE/EE versions 15.1 through 15.1.4
GitLab CE/EE versions 15.2 through 15.2.1
Description
The issue is related to a lack of cascading deletes, allowing a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted. Although the APIs usable by that token are limited, this still poses a risk.
Recommendations
For GitLab CE/EE versions 13.0 through 15.0.5, update to version 15.0.5 or later.
For GitLab CE/EE versions 15.1 through 15.1.4, update to version 15.1.4 or later.
For GitLab CE/EE versions 15.2 through 15.2.1, update to version 15.2.1 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitlab
Gitlab Ce/Ee