| Vulnerability Name: | CVE-2022-2303 (CCN-232981) | ||||||||||||
| Assigned: | 2022-08-03 | ||||||||||||
| Published: | 2022-08-03 | ||||||||||||
| Updated: | 2022-08-11 | ||||||||||||
| Summary: | An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA. | ||||||||||||
| CVSS v3 Severity: | 4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) 3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-863 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-2303 Source: XF Type: UNKNOWN gitlab-cve20222303-sec-bypass(232981) Source: CCN Type: GitLab Web site CVE-2022-2303 Source: CONFIRM Type: Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2303.json Source: MISC Type: Broken Link, Vendor Advisory https://gitlab.com/gitlab-org/gitlab/-/issues/355028 Source: MISC Type: Permissions Required, Third Party Advisory https://hackerone.com/reports/1498133 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||