CVE-2022-2992: Command Injection
First published: Mon Oct 17 2022(Updated: )
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=11.10<15.1.6 | |
| GitLab | >=11.10<15.1.6 | |
| GitLab | >=15.2<15.2.4 | |
| GitLab | >=15.2<15.2.4 | |
| GitLab | >=15.3<15.3.2 | |
| GitLab | >=15.3<15.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-2992?
CVE-2022-2992 has a high severity rating as it allows authenticated users to achieve remote code execution.
How do I fix CVE-2022-2992?
To fix CVE-2022-2992, upgrade to GitLab versions 15.1.6, 15.2.4, or 15.3.2 or later.
Which versions of GitLab are affected by CVE-2022-2992?
CVE-2022-2992 affects all GitLab CE/EE versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2.
Can CVE-2022-2992 be exploited remotely?
Yes, CVE-2022-2992 can be exploited remotely by authenticated users leveraging the Import from GitHub API endpoint.
What types of GitLab installations are impacted by CVE-2022-2992?
Both GitLab Community Edition (CE) and Enterprise Edition (EE) installations are impacted by CVE-2022-2992.
- agent/references
- agent/type
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/11.10
- version/gitlab/15.2
- version/gitlab/15.3