Rewterz Threat Advisory – Multiple Microsoft Edge (Chromium-based) Vulnerabilities
April 5, 2022Rewterz Threat Alert – RedLine Stealer – Active IOCs
April 5, 2022Rewterz Threat Advisory – Multiple Microsoft Edge (Chromium-based) Vulnerabilities
April 5, 2022Rewterz Threat Alert – RedLine Stealer – Active IOCs
April 5, 2022Severity
Medium
Analysis Summary
CVE-2022-1120 CVSS:4.8
GitLab Community Edition and GitLab Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by missing filtering in an error message when an include directive fails in the CI/CD configuration. An attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system.
CVE-2022-1121 CVSS:5.3
GitLab Community Edition and GitLab Enterprise Edition are vulnerable to a denial of service, caused by lack of appropriate timeouts in GitLab Pages. A remote attacker could exploit this vulnerability to cause unlimited resource consumption.
CVE-2022-1148 CVSS:5.3
GitLab Community Edition and GitLab Enterprise Edition could allow a remote attacker to obtain sensitive information, caused by improper authorization in GitLab Pages. An attacker could exploit this vulnerability to steal users’ access tokens on an attacker-controlled private GitLab Pages website and reuse them on victims’ other private websites.
CVE-2022-1157 CVSS:2.6
GitLab Community Edition and GitLab Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by lack of sanitization of logged exception messages. A remote authenticated attacker could exploit this vulnerability to log sensitive values in invalid URLs use this information to launch further attacks against the affected system.
CVE-2022-1174 CVSS:4.3
GitLab Community Edition and GitLab Enterprise Edition are vulnerable to a denial of service, caused improper input validation in Issues, Merge requests, Milestones, Snippets, and Wiki pages. A remote authenticated attacker could exploit this vulnerability to cause high CPU usage.
CVE-2022-1175 CVSS:8.7
GitLab Community Edition and GitLab Enterprise Edition is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by notes. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2022-1185 CVSS:6.5
GitLab Community Edition and GitLab Enterprise Edition are vulnerable to a denial of service, caused by an error when rendering RDoc files. By using a specially-crafted RDoc file, a remote authenticated attacker could exploit this vulnerability to cause the application to crash.
CVE-2022-0740 CVSS:3.1
GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization in the Asana integration’s branch restriction feature. An attacker could exploit this vulnerability to close Asana tasks from unrestricted branches.
CVE-2022-1099 CVSS:4.3
GitLab Community Edition and GitLab Enterprise Edition are vulnerable to a denial of service. By adding a large number of tags to a runner, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2022-1100 CVSS:4.3
GitLab Community Edition and GitLab Enterprise Edition are vulnerable to a denial of service, caused by a regex check in the api to update an asset as a link from a release. A remote authenticated attacker could exploit this vulnerability to cause high CPU usage.
CVE-2022-1105 CVSS:4.3
GitLab Community Edition and GitLab Enterprise Edition could allow a remote authenticated attacker to obtain sensitive information, caused by improper access control. An attacker could exploit this vulnerability to access pipeline analytics even when public pipelines are disabled.
CVE-2022-1111 CVSS:2.4
GitLab Community Edition and GitLab Enterprise Edition could allow a remote authenticated attacker to gain unauthorized access to the system, caused by business logic errors in Project Import. An attacker could exploit this vulnerability to cause imported projects to show an incorrect user in the ‘Access Granted’ column in the project membership pages.
Impact
- Denial of Service
- information Disclosure
- Cross-Site Scripting
- Unauthorized Access
Indicator Of Compromise
CVE
- CVE-2022-1120
- CVE-2022-1121
- CVE-2022-1148
- CVE-2022-1157
- CVE-2022-1174
- CVE-2022-1175
- CVE-2022-1185
- CVE-2022-0740
- CVE-2022-1099
- CVE-2022-1100
- CVE-2022-1105
- CVE-2022-1111
Affected Vendors
GitLab
Affected Products
- GitLab GitLab 6.2.3 Community
- GitLab GitLab 6.2.0 Enterprise
- GitLab GitLab 6.6.0 Enterprise
- GitLab GitLab 6.6.1 Enterprise
- GitLab GitLab 9.4.3 Enterprise
- GitLab GitLab 9.3.9 Enterprise
- GitLab GitLab 9.2.9 Enterprise
- GitLab GitLab 9.1.9 Enterprise
- GitLab GitLab 9.0.12 Enterprise
- GitLab GitLab 8.17.7 Enterprise
- GitLab GitLab 10.1.6 Community
- GitLab GitLab 10.1.5 Community
- GitLab GitLab 10.1.5 Enterprise
- GitLab GitLab 10.2.5 Enterprise
- GitLab GitLab 10.2.5 Community
- GitLab GitLab 10.3.3 Community
- GitLab GitLab 10.3.3 Enterprise
- GitLab GitLab 9.5.10 Community
- GitLab GitLab 9.5.10 Enterprise
- GitLab GitLab 10.7.1 Community
- GitLab GitLab 10.6.4 Community
- GitLab GitLab 10.5.7 Community
- GitLab GitLab 10.7.1 Enterprise
- GitLab GitLab 10.6.4 Enterprise
- GitLab GitLab 10.5.7 Enterprise
- GitLab GitLab 10.7.5 Community
- GitLab GitLab 10.7.5 Enterprise
- GitLab GitLab 10.8.4 Enterprise
- GitLab GitLab 10.8.4 Community
- GitLab GitLab 11.0.0 Community
- GitLab GitLab 11.0.0 Enterprise
- GitLab GitLab 11.7 Community
- GitLab GitLab 11.6 Enterprise
- GitLab GitLab 11.4.13 Community
- GitLab GitLab 11.5.6 Community
- GitLab GitLab 11.6.3 Community
- GitLab GitLab 11.4.13 Enterprise
- GitLab GitLab 11.5.6 Enterprise
- GitLab GitLab 11.6.3 Enterprise
- GitLab GitLab 12.1.1 Community
- GitLab GitLab 11.11.5 Community
- GitLab GitLab 11.11.5 Enterprise
- GitLab GitLab 12.1.1 Enterprise
- GitLab GitLab 12.0.3 Enterprise
- GitLab GitLab 12.0.3 Community
- GitLab GitLab 11.11.7 Enterprise
- GitLab GitLab 11.11.7 Community
- GitLab GitLab 12.0.4 Community
- GitLab GitLab 12.0.4 Enterprise
- GitLab GitLab 12.1.2 Enterprise
- GitLab GitLab 12.1.2 Community
- GitLab GitLab 12.9.2 Community
- GitLab GitLab 12.9.2 Enterprise
- GitLab GitLab 13.0.1 Community
- GitLab GitLab 13.0.1 Enterprise
- GitLab GitLab 13.4 Enterprise
- GitLab GitLab 13.5 Enterprise
- GitLab GitLab 13.3 Enterprise
- GitLab GitLab 12.6.6 Community
- GitLab GitLab 12.6.6 Enterprise
- GitLab GitLab 13.10.3 Community
- GitLab GitLab 9.5 Community
- GitLab GitLab 13.11 Community
- GitLab GitLab 13.12 Community
- GitLab GitLab 14.0 Community
- GitLab GitLab 13.10 Enterprise
- GitLab GitLab 13.11 Enterprise
- GitLab GitLab 13.12 Enterprise
- GitLab GitLab 14.0 Enterprise
- GitLab GitLab 14.7.6 Community
- GitLab GitLab 14.7.6 Enterprise
- GitLab GitLab 14.8.4 Community
- GitLab GitLab 14.8.4 Enterprise
- GitLab GitLab 14.9.1 Community
- GitLab GitLab 14.9.1 Enterprise
- GitLab GitLab 14.7 Community
- GitLab GitLab 14.7 Enterprise
- GitLab GitLab 14.8 Community
- GitLab GitLab 14.8 Enterprise
- GitLab GitLab 14.9 Community
- GitLab GitLab 14.9 Enterprise
Remediation
Upgrade to the latest version of GitLab Community Edition or GitLab Enterprise Edition, available from the GitLab Web site.
GitLab Web site