CVE-2022-3820

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-3820

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3820.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-3820

Aliases

BIT-gitlab-2022-3820

Related

UBUNTU-CVE-2022-3820

Published

2023-01-26T21:15:58Z

Modified

2025-04-02T17:15:11.449336Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type: GIT
Repo: https://gitlab.com/gitlab-org/gitlab
Events: Introduced

abbda55531f0a9d630eee1dcf2305ca499c94116

Fixed

4fc991ae59a1eea8f776ef290e8da400331ba5b9

Affected versions

v15.*

v15.4.0-ee

v15.4.1-ee

v15.4.2-ee

v15.4.3-ee

v15.4.4-ee

v15.4.5-ee