8.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
6 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
57.4%
The version of GitLab installed on the remote host is affected by a vulnerability, as follows:
An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. (CVE-2023-0050)
An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users. (CVE-2022-4289)
An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it’s possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group. (CVE-2022-4331)
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible for a project maintainer to extract a Datadog integration API key by modifying the site. (CVE-2023-0483)
A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side. (CVE-2022-4007)
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet.
(CVE-2022-3758)
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings. (CVE-2023-0223)
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response.
(CVE-2022-4462)
An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details. (CVE-2023-1072)
An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites (CVE-2022-3381)
An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request. (CVE-2023-1084)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(187524);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/03");
script_cve_id(
"CVE-2022-3381",
"CVE-2022-3758",
"CVE-2022-4007",
"CVE-2022-4289",
"CVE-2022-4331",
"CVE-2022-4462",
"CVE-2023-0050",
"CVE-2023-0223",
"CVE-2023-0483",
"CVE-2023-1072",
"CVE-2023-1084"
);
script_name(english:"GitLab < 15.7.8 (SECURITY-RELEASE-GITLAB-15-9-2-RELEASED)");
script_set_attribute(attribute:"synopsis", value:
"The version of GitLab installed on the remote host is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of GitLab installed on the remote host is affected by a vulnerability, as follows:
- An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all
versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially
crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform
arbitrary actions on behalf of victims. (CVE-2023-0050)
- An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions
of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were
not hidden, could be leaked from instance, group, or project settings to other users. (CVE-2022-4289)
- An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all
versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with
SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed
malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM
token to perform actions on the group. (CVE-2022-4331)
- An issue has been discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, all
versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible
for a project maintainer to extract a Datadog integration API key by modifying the site. (CVE-2023-0483)
- A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8
prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the
title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at
client side. (CVE-2022-4007)
- An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all
versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper
permissions checks an unauthorised user was able to read, add or edit a users private snippet.
(CVE-2022-3758)
- An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all
versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project
members could retrieve release descriptions via the API, even if the release visibility is restricted to
project members only in the project settings. (CVE-2023-0223)
- An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all
versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. This
vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response.
(CVE-2022-4462)
- An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all
versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible
to trigger a resource depletion attack due to improper filtering for number of requests to read commits
details. (CVE-2023-1072)
- An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to
15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites
(CVE-2022-3381)
- An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting
from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may
create a Project Access Token with Owner level privileges using a crafted request. (CVE-2023-1084)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56ed9a15");
script_set_attribute(attribute:"solution", value:
"Upgrade to GitLab version 15.7.8 or later.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-4331");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/02");
script_set_attribute(attribute:"patch_publication_date", value:"2023/03/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/03");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:gitlab:gitlab");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("gitlab_webui_detect.nbin", "gitlab_nix_installed.nbin");
script_require_keys("installed_sw/GitLab");
exit(0);
}
include('vcf.inc');
var app = 'GitLab';
var app_info = vcf::combined_get_app_info(app:app);
if (report_paranoia < 2 && max_index(app_info.parsed_version[0]) < 3 && app_info.version =~ "^15\.(7)$")
if (!empty_or_null(app_info.port))
audit(AUDIT_POTENTIAL_VULN, app, app_info.version, app_info.port);
else
audit(AUDIT_POTENTIAL_VULN, app, app_info.version);
var constraints = [
{ 'fixed_version' : '15.7.8' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE,
flags:{'xss':TRUE}
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3381
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3758
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4007
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4289
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4331
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4462
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0050
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0223
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0483
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1072
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1084
www.nessus.org/u?56ed9a15
8.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
6 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
57.4%