Main Vulnerability Database Vulnerabilities #VU65873

#VU65873 Improper access control in GitLab Enterprise Edition - CVE-2022-2498

Published: July 29, 2022

Vulnerability identifier: #VU65873

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-2498

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in pipeline subscriptions. A remote user can trigger new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.

Remediation

Install updates from vendor's website.

External links

https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/