CVE-2022-2497

Name

CVE-2022-2497

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A malicious developer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://gitlab.com/gitlab-org/gitlab/-/issues/362671
CONFIRM	https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2497.json
MISC	https://hackerone.com/reports/1557992

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gitlab:gitlab:::::enterprise:::*`	gitlab	>= 12.6.0	< 15.0.5
`cpe:2.3:a:gitlab:gitlab:::::enterprise:::*`	gitlab	>= 15.1.0	< 15.1.4
`cpe:2.3:a:gitlab:gitlab:15.2::::enterprise:::`	gitlab	== None	== 15.2

References

Match rules

Vulnerable and fixed packages