CVE-2022-1944 The feature is configured improperly in GitLab CE/EE versions 11.3, 14.10, and 15.0, which allows users with the Developer role to open the Interactive Web Terminal.

CVE-2022-1944 The feature is configured improperly in GitLab CE/EE versions 11.3, 14.10, and 15.0, which allows users with the Developer role to open the Interactive Web Terminal.

allowing them to modify the code and potentially compromise data. GitLab Enterprise users are not affected by this issue. When the feature is configured, improper authorization can also allow an attacker to create a new job or modify an existing one. Unauthorized users can create a job that grants them an elevated permissions level, potentially allowing them to access other users' confidential data. When the feature is enabled, improper authorization in GitLab Enterprise affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to access the credentials of other users, potentially allowing them to access other users' confidential data. The issue was resolved in 14.11. GitLab Enterprise users are not affected by this issue. When the feature is configured, improper authorization can also allow an attacker to create a new job or modify an existing one. Unauthorized users can create a job that grants them an elevated permissions level, potentially allowing them to access other users' confidential data.

Summary

GitLab Enterprise users are not affected by this issue. When the feature is configured, improper authorization can also allow an attacker to create a new job or modify an existing one. Unauthorized users with elevated permissions levels may also be able to access other users' confidential data.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe