CVE Vulnerabilities

CVE-2022-0090

Improper Privilege Management

Published: Jan 18, 2022 | Modified: Nov 21, 2024
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesnt ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Gitlab Gitlab * 14.4.5 (excluding)
Gitlab Gitlab 14.5.0 (including) 14.5.3 (excluding)
Gitlab Gitlab 14.6.0 (including) 14.6.1 (excluding)
Gitlab Ubuntu esm-apps/xenial *
Gitlab Ubuntu trusty *
Gitlab Ubuntu xenial *

Potential Mitigations

References