CVE-2022-2095

Name
CVE-2022-2095
Description
An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks for nor stores the private key.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2095.json
MISC https://gitlab.com/gitlab-org/gitlab/-/issues/365415
MISC https://hackerone.com/reports/1600325

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* gitlab >= 13.7.0 < 15.0.5
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* gitlab >= 15.1.0 < 15.1.4
cpe:2.3:a:gitlab:gitlab:15.2:*:*:*:enterprise:*:*:* gitlab == None == 15.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status