An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.
{
"cna_assigner": "GitLab",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "15.3"
},
{
"fixed": "15.3.2"
},
{
"introduced": "15.2"
},
{
"fixed": "15.2.4"
},
{
"introduced": "0.0"
},
{
"fixed": "15.1.6"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"fixed": "15.1.6"
},
{
"introduced": "15.2"
},
{
"fixed": "15.2.4"
},
{
"introduced": "15.3"
},
{
"fixed": "15.3.2"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/3xxx/CVE-2022-3031.json"
}{
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "15.1.6"
},
{
"introduced": "15.2"
},
{
"fixed": "15.2.4"
},
{
"introduced": "15.3"
},
{
"fixed": "15.3.2"
}
],
"cpe": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*"
]
}