CVE-2022-4331

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-4331

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-4331.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-4331

Aliases

BIT-gitlab-2022-4331

Published

2023-03-09T22:15:51Z

Modified

2024-10-11T09:07:25Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group.

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type: GIT
Repo: https://gitlab.com/gitlab-org/gitlab
Events: Introduced

31c24d2d8643ee22211ef544a4538c4420e96dc9

Fixed

d7f0ac7432bb9ab3f10b7025dc5f9d5b3fe8c76e