Request a Demo
Rewterz
Rewterz Threat Advisory – CVE-2022-22489 – IBM MQ external Vulnerability
August 21, 2022
Rewterz
Rewterz Threat Advisory – Multiple Cisco Small Business routers Vulnerabilities
August 21, 2022

Rewterz Threat Advisory – Multiple GitLab Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2022-1963 CVSS:5.3
GitLab could allow a remote attacker to obtain sensitive information, caused by revealing two-factor authentication user account in the HTML source. A remote attacker could exploit this vulnerability to obtain a user account.

CVE-2022-2227 CVSS:3.1
GitLab could allow a remote attacker to bypass security restrictions, caused by improper access control in the runner jobs. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions to access job and project metadata under certain conditions.

CVE-2022-2185 CVSS:9.9
GitLab could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2022-1999 CVSS:3.1
GitLab could allow a remote attacker to bypass security restrictions, caused by a error in REST API. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions to change labels description.

CVE-2022-1983 CVSS:6.5
GitLab could allow a remote authhenticated attacker to bypass security restrictions, caused by improper access control. By misusing a valid Deploy Key or a Deploy Token, an attacker could exploit this vulnerability to bypass access restrictions to access Container Registries even when IP address restrictions were configured.

CVE-2022-1981 CVSS:2.7
GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by an error in the domain allow-list. By using the ‘Invite a group’ feature, an attacker could exploit this vulnerability to bypass access restrictions to invite a group that doesn’t comply with the domain allow-list.

Impact

  • Information Disclosure
  • Security Bypass
  • Code Execution

Indicators Of Compromise

CVE

  • CVE-2022-1963
  • CVE-2022-2227
  • CVE-2022-2185
  • CVE-2022-1999
  • CVE-2022-1983
  • CVE-2022-1981

Affected Vendors

  • GitLab

Affected Products

  • GitLab GitLab 15.1.0
  • GitLab GitLab 15.0.3
  • GitLab GitLab 14.10.4

Remediation

Refer to GitLab Website for patch, upgrade or suggested workaround information.
GitLab Web site