CVE-2022-3870

Sažetak

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility.

Reference

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3870.json
https://gitlab.com/gitlab-org/gitlab/-/issues/381647
https://hackerone.com/reports/1753423
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3870.json
https://gitlab.com/gitlab-org/gitlab/-/issues/381647
https://hackerone.com/reports/1753423
https://gitlab.com/gitlab-org/gitlab/-/issues/381647

CVSS

Base:	5.3
Impact:	1.4
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Zadnje važnije ažuriranje

09-04-2025 - 14:15

Objavljeno

12-01-2023 - 04:15