GitLab Community Edition/Enterprise Edition up to 14.8.5/14.9.3/14.10.0 API Call resource injection

A vulnerability classified as critical was found in GitLab Community Edition and Enterprise Edition up to 14.8.5/14.9.3/14.10.0 (Bug Tracking Software). Affected by this vulnerability is an unknown code block of the component API Call Handler. Upgrading to version 14.8.6, 14.9.4 or 14.10.1 eliminates this vulnerability.

Field05/12/2022 10:31 AM05/14/2022 10:52 AM
vendorGitLabGitLab
nameCommunity Edition/Enterprise EditionCommunity Edition/Enterprise Edition
version<=14.8.5/14.9.3/14.10.0<=14.8.5/14.9.3/14.10.0
componentAPI Call HandlerAPI Call Handler
cwe99 (privilege escalation)99 (privilege escalation)
risk22
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prNN
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iNN
cvss3_vuldb_aNN
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
cvss3_cna_avNN
cvss3_cna_acLL
cvss3_cna_prNN
cvss3_cna_uiNN
cvss3_cna_sUU
cvss3_cna_cLL
cvss3_cna_iNN
cvss3_cna_aNN
identifier3506935069
urlhttps://gitlab.com/gitlab-org/gitlab/-/issues/350691https://gitlab.com/gitlab-org/gitlab/-/issues/350691
confirm_urlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1352.jsonhttps://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1352.json
nameUpgradeUpgrade
upgrade_version14.8.6/14.9.4/14.10.114.8.6/14.9.4/14.10.1
cveCVE-2022-1352CVE-2022-1352
cve_assigned16498872001649887200
cve_cnaGitLab Inc.GitLab Inc.
date1652306400 (05/12/2022)1652306400 (05/12/2022)
typeBug Tracking SoftwareBug Tracking Software
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_auNN
cvss2_vuldb_ciPP
cvss2_vuldb_iiNN
cvss2_vuldb_aiNN
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_eNDND
cvss3_vuldb_eXX
cvss3_cna_basescore5.35.3
cvss2_vuldb_basescore5.05.0
cvss2_vuldb_tempscore4.44.4
cvss3_vuldb_basescore5.35.3
cvss3_vuldb_tempscore5.15.1
cvss3_meta_basescore5.35.3
cvss3_meta_tempscore5.25.2
price_0day$0-$5k$0-$5k
cve_nvd_summaryDue to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members.

Want to stay up to date on a daily basis?

Enable the mail alert feature now!