CVE-2022-2185

high-risk
Published 2022-07-01

A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.

Do I need to act?

!
90.1% chance of exploitation in next 30 days
EPSS score — higher than 10% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: af6735ad95ff7a4578c8548d37ce9e8247385d5e, 81f47cb467e3387cea11b909ea6b977e28b3b4d2, 61c8658b23e2cc1116acb740418d99c6d227e13f
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Gitlab

References (6)

Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2185.json
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/366088
Permissions Required https://hackerone.com/reports/1609965
Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2185.json
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/366088
Permissions Required https://hackerone.com/reports/1609965
63
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 20/34 · Moderate
Exposure 10/34 · Low