Vulnerability Details : CVE-2022-1433
An issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. Missing invalidation of Markdown caching causes potential payloads from a previously exploitable XSS vulnerability (CVE-2022-1175) to persist and execute.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2022-1433
Probability of exploitation activity in the next 30 days: 0.12%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 46 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-1433
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
nvd@nist.gov |
|
2.6
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N |
1.2
|
1.4
|
cve@gitlab.com |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
nvd@nist.gov |
CWE ids for CVE-2022-1433
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-1433
-
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1433.json
2022/CVE-2022-1433.json · master · GitLab.org / cves · GitLabVendor Advisory
-
https://gitlab.com/gitlab-org/gitlab/-/issues/357930
Not FoundBroken Link
-
https://hackerone.com/reports/1528829
Sign inPermissions Required;Third Party Advisory
Products affected by CVE-2022-1433
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
- cpe:2.3:a:gitlab:gitlab:14.10.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:14.10.0:*:*:*:community:*:*:*