CVE-2022-3291

Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/354299	Broken Link Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

No history.

Information

Published : 2022-10-17 16:15

Updated : 2022-10-20 14:25

NVD link : CVE-2022-3291

Mitre link : CVE-2022-3291

CVE.ORG link : CVE-2022-3291

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2022-3291", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-10-17T16:15:22.567", "references": [{"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json", "tags": ["Vendor Advisory"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/354299", "tags": ["Broken Link", "Vendor Advisory"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache"}, {"lang": "es", "value": "Una serializaci\u00f3n de datos confidenciales en GitLab EE afectando a todas las versiones desde la 14.9 anteriores a 15.2.5, la 15.3 anteriores a 15.3.4 y la 15.4 anteriores a 15.4.1 puede filtrar informaci\u00f3n confidencial por medio de la cach\u00e9"}], "lastModified": "2022-10-20T14:25:23.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "0E1D81D0-5DF4-4FB0-88F9-CCDBD1168CC4", "versionEndExcluding": "15.2.5", "versionStartIncluding": "14.9"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "3A4CDDAE-AEDA-40D8-9D36-11535172233D", "versionEndExcluding": "15.3.4", "versionStartIncluding": "15.3"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "1605D4DC-D7EA-42BC-B006-8A79C32781CE", "versionEndExcluding": "15.4.1", "versionStartIncluding": "15.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}