CVE-2022-4167
First published: Thu Jan 12 2023(Updated: )
Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=13.11.0<15.5.7 | |
| GitLab | >=15.6.0<15.6.4 | |
| GitLab | >=15.7.0<15.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-4167?
CVE-2022-4167 has a medium severity rating due to incorrect authorization checks that can lead to unintended access.
How do I fix CVE-2022-4167?
To fix CVE-2022-4167, upgrade your GitLab EE installation to version 15.5.7, 15.6.4, or 15.7.2 or later.
What versions of GitLab are affected by CVE-2022-4167?
CVE-2022-4167 affects all versions of GitLab EE from 13.11 up to but not including 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2.
What impact does CVE-2022-4167 have on GitLab users?
CVE-2022-4167 allows group access tokens to remain active even when the group owner should be able to revoke them, posing a security risk.
Is there a workaround for CVE-2022-4167?
There is no officially documented workaround for CVE-2022-4167; upgrading to a fixed version is recommended.
- agent/references
- agent/type
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/13.11.0
- version/gitlab/15.6.0
- version/gitlab/15.7.0