Rewterz Threat Advisory – Multiple GitLab Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2022-4201 CVSS:3.5
GitLab is vulnerable to server-side request forgery, caused by a flaw in the Web Terminal advertise_address. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data.

CVE-2022-3478 CVSS:4.3
GitLab is vulnerable to a denial of service. By uploading a malicious NuGet package, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2022-3482 CVSS:5.3
GitLab could allow a remote attacker to obtain sensitive information, caused by an improper access control issue. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain release names.

CVE-2022-3572 CVSS:5.4
GitLab is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Jira Connect integration. A remote authenticated attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2022-4054 CVSS:5.5
GitLab could allow a remote authenticated attacker to obtain sensitive information, caused by a sensitive information leak issue. By changing the webhook URL, an attacker could exploit this vulnerability to obtain webhook secret token.

CVE-2022-3902 CVSS:5.5
GitLab could allow a remote authenticated attacker to obtain sensitive information, caused by a sensitive information leak issue. By reviewing the logs after testing webhooks, an attacker could exploit this vulnerability to unmask webhook secret tokens.

CVE-2022-4205 CVSS:6.3
GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By using a branch with a hexadecimal name, an attacker could exploit this vulnerability to override an existing hash.

CVE-2022-3740 CVSS:6.5
GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By using a branch with a hexadecimal name, an attacker could exploit this vulnerability to override an existing hash.GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By using a branch with a hexadecimal name, an attacker could exploit this vulnerability to override an existing hash.

CVE-2022-3820 CVSS:6.5
GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper authentication with some Package Registries when IP address restrictions were configured. By sending a specially-crafted request, an attacker in possession of a valid Deploy Token could exploit this vulnerability to misuse it from any location.

CVE-2022-4206 CVSS:7.7
GitLab could allow a remote authenticated attacker to obtain sensitive information, caused by a sensitive information leak issue in all versions of DAST API scanner. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain Authorization header in the vulnerability report.

Impact

• Information Theft
• Denial of Service
• Information Disclosure
• Cross-Site Scripting

Indicators Of Compromise

CVE

CVE-2022-4201
CVE-2022-3478
CVE-2022-3482
CVE-2022-3572
CVE-2022-4054
CVE-2022-3902
CVE-2022-4205
CVE-2022-3740
CVE-2022-3820
CVE-2022-4206

Affected Vendors

GitLab

Affected Products

• GitLab Community Edition 15.6.0
• GitLab Community Edition 15.5.4
• GitLab Community Edition 15.4.5
• GitLab Enterprise Edition 15.6.0
• GitLab Enterprise Edition 15.5.4
• GitLab Enterprise Edition 15.4.5

Remediation

Refer to GitLab Website for patch, upgrade or suggested workaround information.

GitLab Website