CVE-2022-2498
MEDIUMGitLab 12.8-15.0.4, 15.1-15.1.3, 15.2 - Improper Privilege Management in Pipeline Subscriptions
Title source: llmDescription
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
References (3)
Core 3
Core References
Broken Link, Vendor Advisory x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/243703
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/966824
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2498.json
Scores
CVSS v3
6.4
EPSS
0.0020
EPSS Percentile
41.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Details
CWE
CWE-269
Status
published
Products (2)
gitlab/gitlab
15.2
gitlab/gitlab
12.8.0 - 15.0.5
Published
Aug 05, 2022
Tracked Since
Feb 18, 2026