Lucene search

K

[email protected]NVD:CVE-2022-3706

HistoryNov 10, 2022 - 12:15 a.m.

CVE-2022-3706

2022-11-1000:15:22

[email protected]

web.nvd.nist.gov

5

gitlab

ce/ee

improper authorization

downstream pipeline

upstream pipeline

retried jobs

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

22.7%

Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn’t have access to that project.

Affected configurations

Nvd

Node

gitlabgitlabRange7.14.0–15.3.5community

OR

gitlabgitlabRange7.14.0–15.3.5enterprise

OR

gitlabgitlabRange15.4.0–15.4.4community

OR

gitlabgitlabRange15.4.0–15.4.4enterprise

OR

gitlabgitlabRange15.5.0–15.5.2community

OR

gitlabgitlabRange15.5.0–15.5.2enterprise

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3706.json

gitlab.com/gitlab-org/gitlab/-/issues/365532

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

22.7%

Related for NVD:CVE-2022-3706

osv2 cvelist1 prion1 ubuntucve1 openvas1 veracode1 nessus2 debiancve1 cve1 freebsd1