CVE-2021-22224

Published: Jul 7, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim

Affected (2)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 13.12.0 to 13.12.6
Gitlab Gitlab	From 14.0.0 to 14.0.2

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22224.json

Source: cve@gitlab.com

Third Party Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/324397

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/1122408

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22224.json

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/324397

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/1122408

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.