CVE Vulnerabilities

CVE-2022-2992

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Oct 17, 2022 | Modified: Aug 08, 2023
CVSS 3.x
9.9
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Gitlab Gitlab 11.10 (including) 15.1.6 (excluding)
Gitlab Gitlab 15.2 (including) 15.2.4 (excluding)
Gitlab Gitlab 15.3 (including) 15.3.2 (excluding)
Gitlab Ubuntu esm-apps/xenial *
Gitlab Ubuntu upstream *

Potential Mitigations

References