CVE-2022-3413
First published: Wed Nov 09 2022(Updated: )
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=14.5.0<15.3.5 | |
| GitLab | >=15.4.0<15.4.4 | |
| GitLab | >=15.5.0<15.5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-3413?
CVE-2022-3413 has been rated as a high severity vulnerability due to incorrect authorization that allows unauthorized access to sensitive audit event data.
How do I fix CVE-2022-3413?
To fix CVE-2022-3413, upgrade GitLab EE to version 15.3.5 or higher, 15.4.4 or higher, or 15.5.2 or higher.
Who is affected by CVE-2022-3413?
CVE-2022-3413 affects users of GitLab EE versions from 14.5 up to 15.3.5, 15.4 up to 15.4.4, and 15.5 up to 15.5.2.
What type of data can be accessed due to CVE-2022-3413?
Due to CVE-2022-3413, developers may gain unauthorized access to project and group audit events.
Is CVE-2022-3413 present in GitLab CE?
CVE-2022-3413 specifically affects GitLab EE and does not apply to GitLab CE versions.
- agent/type
- agent/references
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/14.5.0
- version/gitlab/15.4.0
- version/gitlab/15.5.0