Vulnerability Description
An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | >= 12.0.0, < 15.0.5 |
Related Weaknesses (CWE)
References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2501.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/364822Broken LinkVendor Advisory
- https://hackerone.com/reports/1591412Permissions RequiredThird Party Advisory
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2501.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/364822Broken LinkVendor Advisory
- https://hackerone.com/reports/1591412Permissions RequiredThird Party Advisory
FAQ
What is CVE-2022-2501?
CVE-2022-2501 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and downloa...
How severe is CVE-2022-2501?
CVE-2022-2501 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2501?
Check the references section above for vendor advisories and patch information. Affected products include: Gitlab Gitlab.