CVE-2022-3331

An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3331.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/360372	Exploit Issue Tracking Vendor Advisory
https://hackerone.com/reports/1542834	Permissions Required Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

20 Oct 2022, 14:30

Type	Values Removed	Values Added
CWE		CWE-639
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
References	~~(CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3331.json -~~	(CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3331.json - Vendor Advisory
References	~~(MISC) https://hackerone.com/reports/1542834 -~~	(MISC) https://hackerone.com/reports/1542834 - Permissions Required, Third Party Advisory
References	~~(MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/360372 -~~	(MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/360372 - Exploit, Issue Tracking, Vendor Advisory
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

17 Oct 2022, 17:56

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-17 16:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-3331

Mitre link : CVE-2022-3331

CVE.ORG link : CVE-2022-3331

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2022-3331", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2022-10-17T16:15:22.827", "references": [{"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3331.json", "tags": ["Vendor Advisory"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/360372", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "cve@gitlab.com"}, {"url": "https://hackerone.com/reports/1542834", "tags": ["Permissions Required", "Third Party Advisory"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues."}, {"lang": "es", "value": "Se ha detectado un problema en GitLab EE afectando a todas las versiones a partir de 14.5 anteriores a 15.1.6, todas las versiones a partir de 15.2 anteriores a 15.2.4, todas las versiones a partir de 15.3 anteriores a 15.3.2. La integraci\u00f3n con Zentao de GitLab presenta una vulnerabilidad de referencia directa a objetos no segura que puede ser explotada por un atacante para filtrar los problemas de los proyectos de Zentao"}], "lastModified": "2022-10-20T14:30:23.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "7495D743-6CB7-4908-B247-2EF5170004C6", "versionEndExcluding": "15.1.6", "versionStartIncluding": "14.5"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "B81CEDFB-EDCD-4298-8AEF-80C16422AE12", "versionEndExcluding": "15.2.4", "versionStartIncluding": "15.2"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "7D17D848-4F93-4E17-98E7-10DC30A5CCFE", "versionEndExcluding": "15.3.2", "versionStartIncluding": "15.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}