CVE-2022-0549 An issue was found in GitLab CE/EE before 14.3.6, 14.4.4, 14.5.2, and earlier versions.

Possible actions that could be done by unprivileged user: - add new collaborators - change group membership - view group information - view user information - view project information - add user as manager.  Currently GitLab does not prevent unprivileged users to access the user management system and add other users as collaborators. This issue was fixed in 14.5.2. If you are using a version before 14.5.2, you should upgrade as soon as possible.

CVE-2022-0550

Possible actions that could be done by unprivileged users: - create new repositories - view repository information - view user information - view project information
If you are using a version before 14.5.2, you should upgrade as soon as possible.

CVE-2022-0542

Possible actions that could be done by unprivileged user: - view project information - add user as collaborator.  Currently GitLab does not prevent unprivileged users to access the project management system and add other users as collaborators. This issue was fixed in 14.5.2. If you are using a version before 14.5.2, you should upgrade as soon as possible.

CVE-2022-0547

Possible actions that could be done by unprivileged user: - view project information - view project code information (gitlab-shell only) - edit issue - edit comment  Currently GitLab does not prevent unprivileged users to access the issue management system and view other issues. This issue was fixed in 14.5.2. If you are using a version before 14.5.2, you should upgrade as soon as possible.
GitLab is a web-based git repository with wiki, issue tracking, and continuous integration built in for software development projects with multiple stakeholders or developers on any platform, including Windows and Linux systems running on the Cloud Foundry PaaS service or your own cloud infrastructure.

How to check if you are affected?

Check the GitLab version using:
gitlab-rake gitlab:version
If you see '14.5.2', you are good to go.  If you see something else, update as soon as possible!

Timeline

Published on: 03/28/2022 19:15:00 UTC
Last modified on: 04/04/2022 19:20:00 UTC

References

• https://gitlab.com/gitlab-org/gitlab/-/issues/342448
• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0549.json
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0549