Rewterz Threat Advisory – Multiple GitLab Products Vulnerabilities

Uncategorized / febrero 14, 2023 / Deja un comentario

Severity

Medium

Analysis Summary

CVE-2022-3759 CVSS:4.3

GitLab CE/EE is vulnerable to a denial of service, caused by a flaw in Sidekiq background job. By uploading malicious CI job artifact zips, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2022-3411 CVSS:6.5

GitLab CE/EE is vulnerable to a denial of service, caused by a lack of length validation. By creating a large Issue description via GraphQL, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2022-4138 CVSS:6.4

GitLab CE/EE is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to take over a repository. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-0518 CVSS:4.3

GitLab CE/EE is vulnerable to a denial of service, caused by a flaw in Sidekiq background job. By uploading a malicious Helm chart, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2022-4255 CVSS:4.3

GitLab could allow a remote attacker to obtain sensitive information, caused by an unspecified flaw. By using a specially-crafted webhook payload, an attacker could exploit this vulnerability to obtain a user email id.

CVE-2022-4335 CVSS:4.3

GitLab is vulnerable to server-side request forgery, caused by an unspecified flaw. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to conduct a blind SSRF attack, allowing the attacker to connect to a local host.

Impact

Denial of ServiceInformation DisclosureUnauthorized Access

Indicators Of Compromise

CVE

CVE-2022-3759CVE-2022-3411CVE-2022-4138CVE-2023-0518CVE-2022-4255CVE-2022-4335

Affected Vendors

GitLab

Affected Products

GitLab Community Edition (CE) 15.7.5GitLab Community Edition (CE) 15.6.6GitLab Enterprise Edition (EE) 15.6.6GitLab Enterprise Edition (EE) 15.7.5GitLab Enterprise Edition (EE) 15.8.0GitLab Community Edition (CE) 15.8.0GitLab 15.4.5GitLab 15.5.4GitLab 15.6.0

Remediation

Upgrade to the latest version of GitLab, available from the GitLab Web site.

GitLab Community Edition

GitLab 15.4.5, 15.5.4, 15.6.0

The post Rewterz Threat Advisory – Multiple GitLab Products Vulnerabilities first appeared on Rewterz.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Generated by Feedzy