CVE-2022-3288

A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3288.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/354948	Broken Link Vendor Advisory
https://hackerone.com/reports/1498354	Permissions Required Third Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3288.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/354948	Broken Link Vendor Advisory
https://hackerone.com/reports/1498354	Permissions Required Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/354948	Broken Link Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

No history.

Information

Published : 2022-10-17 16:15

Updated : 2025-05-13 16:15

NVD link : CVE-2022-3288

Mitre link : CVE-2022-3288

CVE.ORG link : CVE-2022-3288

JSON object : View

Products Affected

gitlab

gitlab

CWE

NVD-CWE-noinfo CWE-471

Modification of Assumed-Immutable Data (MAID)

{"id": "CVE-2022-3288", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-10-17T16:15:22.507", "references": [{"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3288.json", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/354948", "tags": ["Broken Link", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://hackerone.com/reports/1498354", "tags": ["Permissions Required", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3288.json", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/354948", "tags": ["Broken Link", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/1498354", "tags": ["Permissions Required", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/354948", "tags": ["Broken Link", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-471"}]}], "descriptions": [{"lang": "en", "value": "A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected."}, {"lang": "es", "value": "Una confusi\u00f3n de nombre de rama/etiqueta en GitLab CE/EE afectando a todas las versiones anteriores a 15.2.5, a la 15.3 anteriores a 15.3.4 y a la 15.4 anteriores a 15.4.1 permite a un atacante manipular p\u00e1ginas donde era esperado el contenido de la rama por defecto"}], "lastModified": "2025-05-13T16:15:21.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "D5D2A977-BB2E-406A-8EF4-A21C271678F3", "versionEndExcluding": "15.2.5"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "C3662260-5645-41E0-AA03-7FD57F06C617", "versionEndExcluding": "15.2.5"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "FA378384-D683-47B4-9AB2-28C565A954CB", "versionEndExcluding": "15.3.4", "versionStartIncluding": "15.3"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "3A4CDDAE-AEDA-40D8-9D36-11535172233D", "versionEndExcluding": "15.3.4", "versionStartIncluding": "15.3"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "71CE99C3-F315-4071-A1B2-FEACE6A3F049", "versionEndExcluding": "15.4.1", "versionStartIncluding": "15.4"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "1605D4DC-D7EA-42BC-B006-8A79C32781CE", "versionEndExcluding": "15.4.1", "versionStartIncluding": "15.4"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}