CVE Vulnerabilities

CVE-2022-2307

Incomplete Cleanup

Published: Aug 05, 2022 | Modified: Aug 11, 2022
CVSS 3.x
3.8
LOW
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.

Weakness

The product does not properly “clean up” and remove temporary or supporting resources after they have been used.

Affected Software

Name Vendor Start Version End Version
Gitlab Gitlab 13.0.0 (including) 15.0.5 (excluding)
Gitlab Gitlab 15.1.0 (including) 15.1.4 (excluding)
Gitlab Gitlab 15.2 (including) 15.2 (including)
Gitlab Ubuntu esm-apps/xenial *
Gitlab Ubuntu xenial *

Potential Mitigations

References