Vulnerability Details : CVE-2022-2499
An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab's Jira integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Jira issues.
Products affected by CVE-2022-2499
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:15.2:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-2499
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-2499
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N |
1.8
|
1.4
|
GitLab Inc. | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2022-2499
-
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-2499
-
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2499.json
2022/CVE-2022-2499.json · master · GitLab.org / GitLab CVE assignments · GitLabVendor Advisory
-
https://gitlab.com/gitlab-org/gitlab/-/issues/360800
IDOR in project with Jira integration leaks project owner's other projects Jira issues (#360800) · Issues · GitLab.org / GitLab · GitLabBroken Link;Vendor Advisory
-
https://hackerone.com/reports/1538068
Sign in | HackerOnePermissions Required;Third Party Advisory
Jump to