CVE-2022-3478

An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package.
References
Link Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3478.json Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/377788 Exploit Issue Tracking Vendor Advisory
https://hackerone.com/reports/1716296 Permissions Required Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:15.6.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:15.6.0:*:*:*:enterprise:*:*:*

History

01 Feb 2023, 17:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
CWE CWE-434
First Time Gitlab gitlab
Gitlab
CPE cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:15.6.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:15.6.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
References (CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3478.json - (CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3478.json - Vendor Advisory
References (MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/377788 - (MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/377788 - Exploit, Issue Tracking, Vendor Advisory
References (MISC) https://hackerone.com/reports/1716296 - (MISC) https://hackerone.com/reports/1716296 - Permissions Required, Third Party Advisory

26 Jan 2023, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-01-26 21:15

Updated : 2023-12-10 14:48


NVD link : CVE-2022-3478

Mitre link : CVE-2022-3478

CVE.ORG link : CVE-2022-3478


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type