PT-2022-23775 · Gitlab · Gitlab Ce/Ee+1

Drew Stachon

Published

2022-11-09

Updated

2024-03-06

CVE-2022-3706

CVSS v3.1

3.1

Low

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 7.14 through 15.3.4 GitLab CE/EE versions 15.4 through 15.4.3 GitLab CE/EE versions 15.5 through 15.5.1

Description The issue is related to improper authorization, allowing a user to take ownership of retried jobs in an upstream pipeline when retrying a job in a downstream pipeline, even without access to the project. This occurs when a user retries a job in a downstream pipeline.

Recommendations For GitLab CE/EE versions 7.14 through 15.3.4, update to version 15.3.5 or later. For GitLab CE/EE versions 15.4 through 15.4.3, update to version 15.4.4 or later. For GitLab CE/EE versions 15.5 through 15.5.1, update to version 15.5.2 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

BIT-GITLAB-2022-3706

CVE-2022-3706

Affected Products

Gitlab

Gitlab Ce/Ee

PT-2022-23775 · Gitlab · Gitlab Ce/Ee+1

CVE-2022-3706

Related Identifiers

Affected Products

References · 11