CVE-2022-1352

Name
CVE-2022-1352
Description
Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://hackerone.com/reports/1450306
MISC https://gitlab.com/gitlab-org/gitlab/-/issues/350691
CONFIRM https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1352.json

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gitlab:gitlab:14.10.0:*:*:*:enterprise:*:*:* gitlab == None == 14.10.0
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* gitlab >= 14.9.0 < 14.9.4
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* gitlab >= 11.0.0 < 14.8.6

Vulnerable and fixed packages

Source package Branch Version Maintainer Status