CVE-2022-2992

CRITICAL severity · CVSS 9.9 · Injection

9.9CVSS CRITICAL

Summary

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)91%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products we track (1)

GitLab

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.jsonAdvisory
https://gitlab.com/gitlab-org/gitlab/-/issues/371884Advisory
https://hackerone.com/reports/1679624Advisory
http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.jsonAdvisory
https://gitlab.com/gitlab-org/gitlab/-/issues/371884Advisory
https://hackerone.com/reports/1679624Advisory