First published: Tue Jan 24 2023(Updated: )
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers.
Credit: cve@gitlab.com
Affected Software | Affected Version | How to fix |
---|---|---|
GitLab GitLab | >=9.3.0<15.4.6 | |
GitLab GitLab | >=9.3.0<15.4.6 | |
GitLab GitLab | >=15.5.0<15.5.5 | |
GitLab GitLab | >=15.5.0<15.5.5 | |
GitLab GitLab | =15.6.0 | |
GitLab GitLab | =15.6.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-4054 is an issue discovered in GitLab that affects all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, and all versions starting from 15.6 before 15.6.1.
The severity of CVE-2022-4054 is medium, with a severity value of 5.5.
CVE-2022-4054 allows a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint controlled by an attacker.
All versions of GitLab starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, and all versions starting from 15.6 before 15.6.1 are affected by CVE-2022-4054.
To fix CVE-2022-4054 in GitLab, it is recommended to upgrade to version 15.4.6, 15.5.5, or 15.6.1 or later.