CVE-2022-2229

HIGH

GitLab CE/EE <14.10.5-15.0.4-15.1.1 - Info Disclosure

Title source: llm

Description

An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of.

Exploits (1)

gitlab STUB

by hackerone_a0xnirudh · poc

https://gitlab.com/hackerone_a0xnirudh/cve-2022-2229-bypass-demo-deletion_scheduled-79807952

View Code ZIP pw:eip

References (3)

[Vendor Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2229.json

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/355738

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/1511133

Scores

CVSS v3 7.5

EPSS 0.0022

EPSS Percentile 44.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

Status published

Products (2)

gitlab/gitlab 15.1.0 (2 CPE variants)

gitlab/gitlab 13.7.0 - 14.10.5 (2 CPE variants)

Published Jul 01, 2022

Tracked Since Feb 18, 2026