CVE-2022-3902
First published: Tue Jan 24 2023(Updated: )
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the logs after testing webhooks.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=9.3.0<15.4.6 | |
| GitLab | >=9.3.0<15.4.6 | |
| GitLab | >=15.5.0<15.5.5 | |
| GitLab | >=15.5.0<15.5.5 | |
| GitLab | =15.6.0 | |
| GitLab | =15.6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-3902?
CVE-2022-3902 has a medium severity level as it allows project maintainers to view webhook secret tokens in logs.
How do I fix CVE-2022-3902?
To mitigate CVE-2022-3902, upgrade to GitLab version 15.4.6, 15.5.5, or 15.6.1 or later.
Who is affected by CVE-2022-3902?
CVE-2022-3902 affects all GitLab versions from 9.3 up to 15.4.6, between 15.5.0 and 15.5.5, and exactly 15.6.0.
What types of GitLab editions are impacted by CVE-2022-3902?
Both GitLab Community Edition and GitLab Enterprise Edition are impacted by CVE-2022-3902.
What kind of information can be exposed due to CVE-2022-3902?
CVE-2022-3902 can expose sensitive webhook secret tokens through log review.
- agent/type
- agent/references
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/9.3.0
- version/gitlab/15.5.0
- version/gitlab/15.6.0