VDB-199599 · CVE-2022-1433 · ID 35793

GitLab up to 14.8.5/14.9.3/14.10.0 Markdown Caching cross site scripting

A vulnerability was found in GitLab up to 14.8.5/14.9.3/14.10.0 (Bug Tracking Software). It has been classified as problematic. This affects an unknown functionality of the component Markdown Caching Handler. Upgrading to version 14.8.6, 14.9.4 or 14.10.1 eliminates this vulnerability.

Field	05/12/2022 10:17 AM	05/14/2022 10:34 AM
name	GitLab	GitLab
version	<=14.8.5/14.9.3/14.10.0	<=14.8.5/14.9.3/14.10.0
component	Markdown Caching Handler	Markdown Caching Handler
cwe	79 (cross site scripting)	79 (cross site scripting)
risk	1	1
cvss3_vuldb_av	N	N
cvss3_vuldb_ac	H	H
cvss3_vuldb_pr	L	L
cvss3_vuldb_ui	R	R
cvss3_vuldb_s	U	U
cvss3_vuldb_c	N	N
cvss3_vuldb_i	L	L
cvss3_vuldb_a	N	N
cvss3_vuldb_rl	O	O
cvss3_vuldb_rc	C	C
cvss3_cna_av	N	N
cvss3_cna_ac	H	H
cvss3_cna_pr	L	L
cvss3_cna_ui	R	R
cvss3_cna_s	U	U
cvss3_cna_c	L	L
cvss3_cna_i	N	N
cvss3_cna_a	N	N
identifier	35793	35793
url	https://gitlab.com/gitlab-org/gitlab/-/issues/357930	https://gitlab.com/gitlab-org/gitlab/-/issues/357930
confirm_url	https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1433.json	https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1433.json
name	Upgrade	Upgrade
upgrade_version	14.8.6/14.9.4/14.10.1	14.8.6/14.9.4/14.10.1
cve	CVE-2022-1433	CVE-2022-1433
cve_assigned	1650578400	1650578400
cve_cna	GitLab Inc.	GitLab Inc.
date	1652306400 (05/12/2022)	1652306400 (05/12/2022)
type	Bug Tracking Software	Bug Tracking Software
cvss2_vuldb_av	N	N
cvss2_vuldb_ac	H	H
cvss2_vuldb_ci	N	N
cvss2_vuldb_ii	P	P
cvss2_vuldb_ai	N	N
cvss2_vuldb_rc	C	C
cvss2_vuldb_rl	OF	OF
cvss2_vuldb_au	S	S
cvss2_vuldb_e	ND	ND
cvss3_vuldb_e	X	X
cvss3_cna_basescore	2.6	2.6
cvss2_vuldb_basescore	2.1	2.1
cvss2_vuldb_tempscore	1.8	1.8
cvss3_vuldb_basescore	2.6	2.6
cvss3_vuldb_tempscore	2.5	2.5
cvss3_meta_basescore	2.6	2.6
cvss3_meta_tempscore	2.5	2.5
price_0day	$0-$5k	$0-$5k
cve_nvd_summary		An issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. Missing invalidation of Markdown caching causes potential payloads from a previously exploitable XSS vulnerability (CVE-2022-1175) to persist and execute.

◂ Previous Overview Next ▸