CVE-2022-2498
First published: Fri Aug 05 2022(Updated: )
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=12.8.0<15.0.5 | |
| GitLab | >=15.1.0<15.1.4 | |
| GitLab | =15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-2498?
CVE-2022-2498 is considered a medium severity issue due to the potential for incorrect pipeline creator attribution.
How do I fix CVE-2022-2498?
To mitigate CVE-2022-2498, upgrade GitLab to version 15.0.5, 15.1.4, or 15.2.1 or later.
What versions of GitLab are affected by CVE-2022-2498?
CVE-2022-2498 affects all versions of GitLab from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1.
What kind of issue is CVE-2022-2498?
CVE-2022-2498 is an issue related to pipeline subscriptions that affects the attribution of pipeline creators.
Who is most impacted by CVE-2022-2498?
Users of GitLab EE who utilize pipeline subscriptions may be impacted by CVE-2022-2498.
- agent/type
- agent/references
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/12.8.0
- version/gitlab/15.1.0
- version/gitlab/15.2