Description

An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers.

Related CPE's

a

gitlab

gitlab

6

References

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4054.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/382260

ExploitIssue TrackingVendor Advisory

https://hackerone.com/reports/1758126

Permissions RequiredThird Party Advisory

Weaknesses

[email protected]

Primary
NVD-CWE-noinfo

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

5.5 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2023-01-26T21:18:06.253

1 year ago

Last modified

2023-02-01T17:22:19.103

1 year ago