CVE-2022-2884

CRITICAL severity · CVSS 9.9 · OS command injection

9.9CVSS CRITICAL

Summary

A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)30%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products we track (1)

GitLab

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://packetstormsecurity.com/files/171628/GitLab-15.3-Remote-Code-Execution.html
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2884.jsonAdvisory
https://gitlab.com/gitlab-org/gitlab/-/issues/371098Advisory
https://hackerone.com/reports/1672388Advisory
http://packetstormsecurity.com/files/171628/GitLab-15.3-Remote-Code-Execution.html
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2884.jsonAdvisory
https://gitlab.com/gitlab-org/gitlab/-/issues/371098Advisory
https://hackerone.com/reports/1672388Advisory