CVE-2022-2992

Description

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

How to fix CVE-2022-2992

To remediate CVE-2022-2992, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 15.1.6 or later

Is CVE-2022-2992 being exploited?

Likely — EPSS is 91.2%, placing CVE-2022-2992 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 11.10.0, < 15.1.6, >= 15.2.0, < 15.2.4, >= 15.3.0, < 15.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (5)

WEBpacketstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html
WEBgitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/371884
WEBhackerone.com/reports/1679624