CVE-2022-2307

LOW

GitLab CE/EE <15.0.5-15.2.1 - Info Disclosure

Title source: llm

Description

A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.

References (2)

[Broken Link, Vendor Advisory] https://gitlab.com/gitlab-org/gitlab/-/issues/360025

[Vendor Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2307.json

Scores

CVSS v3 3.5

EPSS 0.0008

EPSS Percentile 24.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Details

CWE

CWE-459

Status published

Products (2)

gitlab/gitlab 15.2 (2 CPE variants)

gitlab/gitlab 13.0.0 - 15.0.5 (2 CPE variants)

Published Aug 05, 2022

Tracked Since Feb 18, 2026