CVE-2022-1545

It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
GitLabCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
gitlabgitlab
13.2.0 ≤
𝑥
< 14.8.6
gitlabgitlab
13.2.0 ≤
𝑥
< 14.8.6
gitlabgitlab
14.9.0 ≤
𝑥
< 14.9.4
gitlabgitlab
14.9.0 ≤
𝑥
< 14.9.4
gitlabgitlab
14.10.0
gitlabgitlab
14.10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gitlab
sid
16.8.4-1
fixed
References
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1545.json
https://gitlab.com/gitlab-org/gitlab/-/issues/351030
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1545.json
https://gitlab.com/gitlab-org/gitlab/-/issues/351030