CVE-2022-3793

2022-11-0900:00:00

GitLab

www.cve.org

gitlab

ce/ee

authorization issue

unauthorized access

configuration variables

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

33.5%

JSON

An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don’t have access to.

CNA Affected

[
  {
    "vendor": "GitLab",
    "product": "GitLab",
    "versions": [
      {
        "version": ">=12.6, <15.3.5",
        "status": "affected"
      },
      {
        "version": ">=15.4, <15.4.4",
        "status": "affected"
      },
      {
        "version": ">=15.5, <15.5.2",
        "status": "affected"
      }
    ]
  }
]