CVE-2022-2417

Publication date 5 August 2022

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

4.5 · Medium

Score breakdown

Insufficient validation in GitLab CE/EE affecting all versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project.

Status

Package Ubuntu Release Status
gitlab 24.04 LTS noble Not in release
23.10 mantic Not in release
23.04 lunar Not in release
22.10 kinetic Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Ignored not maintainable
14.04 LTS trusty Not in release

Severity score breakdown

Parameter Value
Base score 4.5 · Medium
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N