CVE-2022-1783

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.7 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
GitLabCNA
2.7 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
gitlabgitlab
14.3.0 ≤
𝑥
< 14.9.5
gitlabgitlab
14.3.0 ≤
𝑥
< 14.9.5
gitlabgitlab
14.10.0 ≤
𝑥
< 14.10.4
gitlabgitlab
14.10.0 ≤
𝑥
< 14.10.4
gitlabgitlab
15.0.0
gitlabgitlab
15.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gitlab
sid
16.8.4-1
fixed
References
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1783.json
https://gitlab.com/gitlab-org/gitlab/-/issues/353121
https://hackerone.com/reports/1472109
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1783.json
https://gitlab.com/gitlab-org/gitlab/-/issues/353121
https://hackerone.com/reports/1472109