CVE-2022-3413

Published: Nov 10, 2022Modified: May 1, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.

Affected (3)

Products: Gitlab: Gitlab

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 14.5.0 to 15.3.5
Gitlab Gitlab	From 15.4.0 to 15.4.4
Gitlab Gitlab	From 15.5.0 to 15.5.2

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (5)

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3413.json

Source: cve@gitlab.com

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/374926

Source: cve@gitlab.com

Broken LinkVendor Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3413.json

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/374926

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkVendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/374926

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Broken LinkVendor Advisory

Timeline

No history available yet.