Possible actions that could be done by unprivileged user: - add new collaborators - change group membership - view group information - view user information - view project information - add user as manager. Currently GitLab does not prevent unprivileged users to access the user management system and add other users as collaborators. This issue was fixed in 14.5.2. If you are using a version before 14.5.2, you should upgrade as soon as possible.
CVE-2022-0550
Possible actions that could be done by unprivileged users: - create new repositories - view repository information - view user information - view project information
If you are using a version before 14.5.2, you should upgrade as soon as possible.
CVE-2022-0542
Possible actions that could be done by unprivileged user: - view project information - add user as collaborator. Currently GitLab does not prevent unprivileged users to access the project management system and add other users as collaborators. This issue was fixed in 14.5.2. If you are using a version before 14.5.2, you should upgrade as soon as possible.
CVE-2022-0547
Possible actions that could be done by unprivileged user: - view project information - view project code information (gitlab-shell only) - edit issue - edit comment Currently GitLab does not prevent unprivileged users to access the issue management system and view other issues. This issue was fixed in 14.5.2. If you are using a version before 14.5.2, you should upgrade as soon as possible.
GitLab is a web-based git repository with wiki, issue tracking, and continuous integration built in for software development projects with multiple stakeholders or developers on any platform, including Windows and Linux systems running on the Cloud Foundry PaaS service or your own cloud infrastructure.
How to check if you are affected?
Check the GitLab version using:
gitlab-rake gitlab:version
If you see '14.5.2', you are good to go. If you see something else, update as soon as possible!
Timeline
Published on: 03/28/2022 19:15:00 UTC
Last modified on: 04/04/2022 19:20:00 UTC