VDB-199603 · CVE-2022-1352 · ID 35069

GitLab Community Edition/Enterprise Edition up to 14.8.5/14.9.3/14.10.0 API Call resource injection

A vulnerability classified as critical was found in GitLab Community Edition and Enterprise Edition up to 14.8.5/14.9.3/14.10.0 (Bug Tracking Software). Affected by this vulnerability is an unknown code block of the component API Call Handler. Upgrading to version 14.8.6, 14.9.4 or 14.10.1 eliminates this vulnerability.

Field	05/12/2022 10:31 AM	05/14/2022 10:52 AM
vendor	GitLab	GitLab
name	Community Edition/Enterprise Edition	Community Edition/Enterprise Edition
version	<=14.8.5/14.9.3/14.10.0	<=14.8.5/14.9.3/14.10.0
component	API Call Handler	API Call Handler
cwe	99 (privilege escalation)	99 (privilege escalation)
risk	2	2
cvss3_vuldb_av	N	N
cvss3_vuldb_ac	L	L
cvss3_vuldb_pr	N	N
cvss3_vuldb_ui	N	N
cvss3_vuldb_s	U	U
cvss3_vuldb_c	L	L
cvss3_vuldb_i	N	N
cvss3_vuldb_a	N	N
cvss3_vuldb_rl	O	O
cvss3_vuldb_rc	C	C
cvss3_cna_av	N	N
cvss3_cna_ac	L	L
cvss3_cna_pr	N	N
cvss3_cna_ui	N	N
cvss3_cna_s	U	U
cvss3_cna_c	L	L
cvss3_cna_i	N	N
cvss3_cna_a	N	N
identifier	35069	35069
url	https://gitlab.com/gitlab-org/gitlab/-/issues/350691	https://gitlab.com/gitlab-org/gitlab/-/issues/350691
confirm_url	https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1352.json	https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1352.json
name	Upgrade	Upgrade
upgrade_version	14.8.6/14.9.4/14.10.1	14.8.6/14.9.4/14.10.1
cve	CVE-2022-1352	CVE-2022-1352
cve_assigned	1649887200	1649887200
cve_cna	GitLab Inc.	GitLab Inc.
date	1652306400 (05/12/2022)	1652306400 (05/12/2022)
type	Bug Tracking Software	Bug Tracking Software
cvss2_vuldb_av	N	N
cvss2_vuldb_ac	L	L
cvss2_vuldb_au	N	N
cvss2_vuldb_ci	P	P
cvss2_vuldb_ii	N	N
cvss2_vuldb_ai	N	N
cvss2_vuldb_rc	C	C
cvss2_vuldb_rl	OF	OF
cvss2_vuldb_e	ND	ND
cvss3_vuldb_e	X	X
cvss3_cna_basescore	5.3	5.3
cvss2_vuldb_basescore	5.0	5.0
cvss2_vuldb_tempscore	4.4	4.4
cvss3_vuldb_basescore	5.3	5.3
cvss3_vuldb_tempscore	5.1	5.1
cvss3_meta_basescore	5.3	5.3
cvss3_meta_tempscore	5.2	5.2
price_0day	$0-$5k	$0-$5k
cve_nvd_summary		Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members.

◂ Previous Overview Next ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!