GitLab up to 14.8.5/14.9.3/14.10.0 Markdown Caching cross site scripting

A vulnerability was found in GitLab up to 14.8.5/14.9.3/14.10.0 (Bug Tracking Software). It has been classified as problematic. This affects an unknown functionality of the component Markdown Caching Handler. Upgrading to version 14.8.6, 14.9.4 or 14.10.1 eliminates this vulnerability.

Field05/12/2022 10:17 AM05/14/2022 10:34 AM
nameGitLabGitLab
version<=14.8.5/14.9.3/14.10.0<=14.8.5/14.9.3/14.10.0
componentMarkdown Caching HandlerMarkdown Caching Handler
cwe79 (cross site scripting)79 (cross site scripting)
risk11
cvss3_vuldb_avNN
cvss3_vuldb_acHH
cvss3_vuldb_prLL
cvss3_vuldb_uiRR
cvss3_vuldb_sUU
cvss3_vuldb_cNN
cvss3_vuldb_iLL
cvss3_vuldb_aNN
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
cvss3_cna_avNN
cvss3_cna_acHH
cvss3_cna_prLL
cvss3_cna_uiRR
cvss3_cna_sUU
cvss3_cna_cLL
cvss3_cna_iNN
cvss3_cna_aNN
identifier3579335793
urlhttps://gitlab.com/gitlab-org/gitlab/-/issues/357930https://gitlab.com/gitlab-org/gitlab/-/issues/357930
confirm_urlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1433.jsonhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1433.json
nameUpgradeUpgrade
upgrade_version14.8.6/14.9.4/14.10.114.8.6/14.9.4/14.10.1
cveCVE-2022-1433CVE-2022-1433
cve_assigned16505784001650578400
cve_cnaGitLab Inc.GitLab Inc.
date1652306400 (05/12/2022)1652306400 (05/12/2022)
typeBug Tracking SoftwareBug Tracking Software
cvss2_vuldb_avNN
cvss2_vuldb_acHH
cvss2_vuldb_ciNN
cvss2_vuldb_iiPP
cvss2_vuldb_aiNN
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_auSS
cvss2_vuldb_eNDND
cvss3_vuldb_eXX
cvss3_cna_basescore2.62.6
cvss2_vuldb_basescore2.12.1
cvss2_vuldb_tempscore1.81.8
cvss3_vuldb_basescore2.62.6
cvss3_vuldb_tempscore2.52.5
cvss3_meta_basescore2.62.6
cvss3_meta_tempscore2.52.5
price_0day$0-$5k$0-$5k
cve_nvd_summaryAn issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. Missing invalidation of Markdown caching causes potential payloads from a previously exploitable XSS vulnerability (CVE-2022-1175) to persist and execute.