CVE-2022-2884

Description

A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint

How to fix CVE-2022-2884

To remediate CVE-2022-2884, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 15.1.5 or later

Is CVE-2022-2884 being exploited?

Moderate — EPSS is 30.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 11.3.4, < 15.1.5, >= 15.2.0, < 15.2.3, >= 15.3.0, < 15.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (5)

WEBpacketstormsecurity.com/files/171628/GitLab-15.3-Remote-Code-Execution.html
WEBgitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2884.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/371098
WEBhackerone.com/reports/1672388