CVE-2022-2459 - OpenCVE

An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:15.2::::enterprise:::

Configuration 2 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:15.2::::community:::

No data.

References

Link	Providers
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2459.json
https://gitlab.com/gitlab-org/gitlab/-/issues/336169
https://hackerone.com/reports/1256967

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2022-08-05T15:12:45

Updated: 2024-08-03T00:39:07.815Z

Reserved: 2022-07-18T00:00:00

Link: CVE-2022-2459

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-05T16:15:11.993

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-2459

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "GitLab", "vendor": "GitLab", "versions": [{"status": "affected", "version": ">=15.2, <15.2.1"}, {"status": "affected", "version": ">=15.1, <15.1.4"}, {"status": "affected", "version": ">=0.0, <15.0.5"}]}], "credits": [{"lang": "en", "value": "Thanks [justas_b](https://hackerone.com/justas_b) for reporting this vulnerability through our HackerOne bug bounty program."}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Improper access control in GitLab", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-05T15:12:45", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/336169"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1256967"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2459.json"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@gitlab.com", "ID": "CVE-2022-2459", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab", "version": {"version_data": [{"version_value": ">=15.2, <15.2.1"}, {"version_value": ">=15.1, <15.1.4"}, {"version_value": ">=0.0, <15.0.5"}]}}]}, "vendor_name": "GitLab"}]}}, "credit": [{"lang": "eng", "value": "Thanks [justas_b](https://hackerone.com/justas_b) for reporting this vulnerability through our HackerOne bug bounty program."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper access control in GitLab"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/336169", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/336169"}, {"name": "https://hackerone.com/reports/1256967", "refsource": "MISC", "url": "https://hackerone.com/reports/1256967"}, {"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2459.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2459.json"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:07.815Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/336169"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1256967"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2459.json"}]}]}, "cveMetadata": {"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2022-2459", "datePublished": "2022-08-05T15:12:45", "dateReserved": "2022-07-18T00:00:00", "dateUpdated": "2024-08-03T00:39:07.815Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9C4B3F61-B368-4253-AAAF-61A11FD7EACA", "versionEndExcluding": "15.0.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B835154E-74C9-40CC-9CB1-D0644E8FB5AB", "versionEndExcluding": "15.1.4", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:15.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "4ECA8C34-F6D0-4ED7-8278-041D709296BC", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "D6E61178-D0CC-4A09-8059-E25D6CD137B5", "versionEndExcluding": "15.0.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "6EB37BE7-C89E-4366-9735-AFD4B5B63984", "versionEndExcluding": "15.1.4", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:15.2:*:*:*:community:*:*:*", "matchCriteriaId": "B5EFE8DA-DD79-4CED-A75E-8240DAA9A143", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled."}, {"lang": "es", "value": "Se ha detectado un problema en GitLab EE afectando a todas las versiones anteriores a la 15.0.5, a todas las versiones a partir de 15.1 anteriores a 15.1.4 y a todas las versiones a partir de 15.2 anteriores a 15.2.1. Es posible que miembros invitados por correo electr\u00f3nico sean unidas a un proyecto incluso despu\u00e9s de que el propietario del grupo haya habilitado la configuraci\u00f3n para evitar que los miembros sean a\u00f1adidas a proyectos de un grupo, si la invitaci\u00f3n es enviada antes de que sea habilitada la configuraci\u00f3n"}], "id": "CVE-2022-2459", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2022-08-05T16:15:11.993", "references": [{"source": "cve@gitlab.com", "tags": ["Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2459.json"}, {"source": "cve@gitlab.com", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/336169"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1256967"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}