Lucene search

Veracode Vulnerability DatabaseVERACODE:41512

HistoryJul 23, 2023 - 3:44 a.m.

Insecure Direct Object Reference

2023-07-2303:44:05

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

vulnerability

insecure direct object reference

reveals

issue title

api call

software

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

38.3%

JSON

gitlab is vulnerable to Insecure Direct Object Reference. The vulnerability allows an endpoint to reveal an issue title to the user if they craft an API call with the same issue ID.

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1352.json

gitlab.com/gitlab-org/gitlab/-/issues/350691

hackerone.com/reports/1450306

security-tracker.debian.org/tracker/CVE-2022-1352

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

38.3%

JSON

Related for VERACODE:41512