CVE-2022-4331

Published: Mar 9, 2023Modified: Feb 28, 2025

7.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.1 / Impact: 5.2

Source: NVD

Description

An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group.

Affected (3)

Products: Gitlab: Gitlab

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 15.1 to 15.7.8
Gitlab Gitlab	From 15.8 to 15.8.4
Gitlab Gitlab	From 15.9 to 15.9.2

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4331.json

Source: cve@gitlab.com

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/385050

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/1791518

Source: cve@gitlab.com

Permissions Required

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4331.json

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/385050

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/1791518

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.