Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-2498

An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.

Published

2022-08-05T16:15:12.137

Last Modified

2024-11-21T07:01:07.230

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.4 (MEDIUM)

Weaknesses

Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gitlab	gitlab	< 15.0.5	Yes
Application	gitlab	gitlab	< 15.1.4	Yes
Application	gitlab	gitlab	15.2	Yes

References

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2498.json Vendor Advisory ([email protected])
https://gitlab.com/gitlab-org/gitlab/-/issues/243703 Broken Link, Vendor Advisory ([email protected])
https://hackerone.com/reports/966824 Permissions Required, Third Party Advisory ([email protected])
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2498.json Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://gitlab.com/gitlab-org/gitlab/-/issues/243703 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/966824 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)