CVE-2022-1545

Description

It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note.

How to fix CVE-2022-1545

To remediate CVE-2022-1545, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 14.8.6 or later

Is CVE-2022-1545 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 13.2.0, < 14.8.6, >= 14.9.0, < 14.9.4, >= 14.10.0, < 14.10.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

WEBgitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1545.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/351030
WEBnvd.nist.gov/vuln/detail/CVE-2022-1545