A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
Published 2022-10-17 16:15:22
Updated 2023-02-15 20:15:11
Source GitLab Inc.
View at NVD,   CVE.org
Vulnerability category: Execute code

Products affected by CVE-2022-2992

  • Gitlab » Gitlab » Community Edition
    Versions from including (>=) 15.2 and before (<) 15.2.4
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
  • Gitlab » Gitlab » Community Edition
    Versions from including (>=) 15.3 and before (<) 15.3.2
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
  • Gitlab » Gitlab » Enterprise Edition
    Versions from including (>=) 15.3 and before (<) 15.3.2
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
  • Gitlab » Gitlab » Community Edition
    Versions from including (>=) 11.10 and before (<) 15.1.6
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
  • Gitlab » Gitlab » Enterprise Edition
    Versions from including (>=) 15.2 and before (<) 15.2.4
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
  • Gitlab » Gitlab » Enterprise Edition
    Versions from including (>=) 11.10 and before (<) 15.1.6
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Exploit prediction scoring system (EPSS) score for CVE-2022-2992

2.38%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-2992

  • GitLab GitHub Repo Import Deserialization RCE
    Disclosure Date: 2022-10-06
    First seen: 2023-09-11
    exploit/multi/http/gitlab_github_import_rce_cve_2022_2992
    An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested `default_branch`. GitLab will cache t

CVSS scores for CVE-2022-2992

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.9
CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
3.1
6.0
GitLab Inc.
9.9
CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
3.1
6.0
NIST

CWE ids for CVE-2022-2992

References for CVE-2022-2992

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!