CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-2428
https://notcve.org/view.php?id=CVE-2022-2428
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests Una etiqueta diseñada en Jupyter Notebook viewer in GitLab EE/CE que afectando a todas las versiones anteriores a 15.1.6, 15.2 a 15.2.4, y 15.3 a 15.3.2 permite a un atacante emitir peticiones HTTP arbitrarias • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2428.json https://gitlab.com/gitlab-org/gitlab/-/issues/362272 https://hackerone.com/reports/1563379 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 1CVE-2022-2884 – GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2022-2884
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint Una vulnerabilidad en GitLab CE/EE afectando a todas las versiones desde la 11.3.4 anteriores a 15.1.5, desde la 15.2 a 15.2.3, desde la 15.3 a 15.3.1, permite a un usuario autenticado lograr una ejecución de código remota por medio del endpoint de la API Import from GitHub GitLab version 15.3 suffers from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/51181 http://packetstormsecurity.com/files/171628/GitLab-15.3-Remote-Code-Execution.html https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2884.json https://gitlab.com/gitlab-org/gitlab/-/issues/371098 https://hackerone.com/reports/1672388 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-3030
https://notcve.org/view.php?id=CVE-2022-3030
An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of pipeline status to unauthorized users. Un problema de control de acceso inapropiado en GitLab CE/EE afectando a todas las versiones a partir de 15.1.6, a todas las versiones a partir de 15.2 anteriores a 15.2.4, a todas las versiones a partir de 15.3 anteriores a 15.3.2 permite revelar el estado de las tuberías a usuarios no autorizados • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3030.json https://gitlab.com/gitlab-org/gitlab/-/issues/37959 https://hackerone.com/reports/749882 •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-3351
https://notcve.org/view.php?id=CVE-2022-3351
An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A user's primary email may be disclosed to an attacker through group member events webhooks. Se ha detectado un problema en GitLab EE afectando a todas las versiones a partir de 13.7 anteriores a 15.2.5, a todas las versiones a partir de 15.3 anteriores a 15.3.4, a todas las versiones a partir de 15.4 anteriores a 15.4.1. El correo electrónico principal de un usuario puede ser divulgado a un atacante mediante los webhooks de eventos de miembros del grupo • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3351.json https://gitlab.com/gitlab-org/gitlab/-/issues/364266 https://hackerone.com/reports/1446022 •
CVSS: 9.9EPSS: 2%CPEs: 6EXPL: 3CVE-2022-2992 – GitLab GitHub Repo Import Deserialization RCE
https://notcve.org/view.php?id=CVE-2022-2992
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. Una vulnerabilidad en GitLab CE/EE afectando a todas las versiones desde la 11.10 anteriores a 15.1.6, desde la 15.2 hasta la 15.2.4, desde la 15.3 hasta la 15.3.2 permite a un usuario autenticado lograr la ejecución de código remota por medio del endpoint de la API Import from GitHub An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested default_branch. GitLab will cache this object and then deserialize it when trying to load a user session, resulting in remote code execution. • https://github.com/CsEnox/CVE-2022-2992 https://github.com/Malwareman007/CVE-2022-2992 http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json https://gitlab.com/gitlab-org/gitlab/-/issues/371884 https://hackerone.com/reports/1679624 https://github.com/redwaysecurity/CVEs/tree/main/CVE-2022-2992 https://raw.githubusercontent.com/rapid7/metasploit-framework/ma • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •