PT-2022-23901 · Gitlab · Gitlab Ce/Ee+1
Yvvdwfon
·
Published
2022-11-09
·
Updated
2024-03-06
·
CVE-2022-3726
CVSS v3.1
9.0
Critical
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
GitLab CE/EE versions 12.6 through 15.3.4
GitLab CE/EE versions 15.4 through 15.4.3
GitLab CE/EE versions 15.5 through 15.5.1
Description
The issue is related to the lack of sand-boxing of OpenAPI documents in GitLab CE/EE, which allows an attacker to trick a user into clicking on the Swagger OpenAPI viewer and issuing HTTP requests that affect the victim's account.
Recommendations
For GitLab CE/EE versions 12.6 through 15.3.4, update to version 15.3.5 or later.
For GitLab CE/EE versions 15.4 through 15.4.3, update to version 15.4.4 or later.
For GitLab CE/EE versions 15.5 through 15.5.1, update to version 15.5.2 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gitlab
Gitlab Ce/Ee