Vulnerability Description
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | < 14.4.5 |
Related Weaknesses (CWE)
References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0090.jsonThird Party Advisory
- https://gitlab.com/gitlab-org/gitaly/-/issues/3948Broken Link
- https://hackerone.com/reports/1415964Permissions Required
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0090.jsonThird Party Advisory
- https://gitlab.com/gitlab-org/gitaly/-/issues/3948Broken Link
- https://hackerone.com/reports/1415964Permissions Required
FAQ
What is CVE-2022-0090?
CVE-2022-0090 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement refer...
How severe is CVE-2022-0090?
CVE-2022-0090 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-0090?
Check the references section above for vendor advisories and patch information. Affected products include: Gitlab Gitlab.