CVE-2022-3870

MEDIUM

GitLab CE/EE <15.5.7-15.6.4-15.7.2 - Info Disclosure

Title source: llm

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility.

References (3)

Core 3

Core References

Vendor Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3870.json

Broken Link

https://gitlab.com/gitlab-org/gitlab/-/issues/381647

Permissions Required, Third Party Advisory

https://hackerone.com/reports/1753423

Scores

CVSS v3 5.3

EPSS 0.0123

EPSS Percentile 79.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

gitlab/gitlab 10.0.0 - 15.5.7 (2 CPE variants)

Published Jan 12, 2023

Tracked Since Feb 18, 2026