Vulnerability Description
An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | >= 12.8.0, < 15.0.5 |
Related Weaknesses (CWE)
References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2498.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/243703Broken LinkVendor Advisory
- https://hackerone.com/reports/966824Permissions RequiredThird Party Advisory
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2498.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/243703Broken LinkVendor Advisory
- https://hackerone.com/reports/966824Permissions RequiredThird Party Advisory
FAQ
What is CVE-2022-2498?
CVE-2022-2498 is a vulnerability with a CVSS score of 6.4 (MEDIUM). An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the...
How severe is CVE-2022-2498?
CVE-2022-2498 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2498?
Check the references section above for vendor advisories and patch information. Affected products include: Gitlab Gitlab.