CVE-2022-2417
MEDIUMGitLab 12.10-15.0.4, 15.1-15.1.3, 15.2-15.2.0 - Authenticated Supply Chain Attack via Branch Name Spoofing
Title source: llmDescription
Insufficient validation in GitLab CE/EE affecting all versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project.
References (2)
Core 2
Core References
Broken Link, Vendor Advisory x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/361179
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2417.json
Scores
CVSS v3
6.2
EPSS
0.0015
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (2)
gitlab/gitlab
15.2 (2 CPE variants)
gitlab/gitlab
12.10.0 - 15.0.5 (2 CPE variants)
Published
Aug 05, 2022
Tracked Since
Feb 18, 2026