CVE-2022-1944 The feature is configured improperly in GitLab CE/EE versions 11.3, 14.10, and 15.0, which allows users with the Developer role to open the Interactive Web Terminal.

allowing them to modify the code and potentially compromise data. GitLab Enterprise users are not affected by this issue. When the feature is configured, improper authorization can also allow an attacker to create a new job or modify an existing one. Unauthorized users can create a job that grants them an elevated permissions level, potentially allowing them to access other users' confidential data. When the feature is enabled, improper authorization in GitLab Enterprise affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to access the credentials of other users, potentially allowing them to access other users' confidential data. The issue was resolved in 14.11. GitLab Enterprise users are not affected by this issue. When the feature is configured, improper authorization can also allow an attacker to create a new job or modify an existing one. Unauthorized users can create a job that grants them an elevated permissions level, potentially allowing them to access other users' confidential data.

Summary

GitLab Enterprise users are not affected by this issue. When the feature is configured, improper authorization can also allow an attacker to create a new job or modify an existing one. Unauthorized users with elevated permissions levels may also be able to access other users' confidential data.

Timeline

Published on: 06/06/2022 17:15:00 UTC
Last modified on: 06/13/2022 18:37:00 UTC

References