CVE-2022-2228

low-risk

Published 2022-07-01

Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range

Do I need to act?

0.15% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

Affected Products (2)

Gitlab

Affected Vendors

Gitlab

References (4)

Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2228.json

Permissions Required https://gitlab.com/gitlab-org/security/gitlab/-/issues/682

Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2228.json

Permissions Required https://gitlab.com/gitlab-org/security/gitlab/-/issues/682

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low