CVE-2022-1175
Published: 04 April 2022
Summary
CVE-2022-1175 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-1175 is a cross-site scripting vulnerability arising from improper neutralization of user input, tracked as CWE-79. It affects GitLab Community Edition and Enterprise Edition in versions 14.4 prior to 14.7.7, all releases from 14.8 prior to 14.8.5, and all releases from 14.9 prior to 14.9.2. The flaw permits an attacker to inject HTML into notes, which is then rendered without adequate sanitization.
An authenticated user with permission to add notes can supply crafted HTML that executes in the context of other users who view the affected content. Because the CVSS vector includes a scope change and high impact on confidentiality and integrity, successful exploitation can lead to session hijacking, privilege escalation within the GitLab instance, or theft of sensitive project data.
Public advisories and the associated GitLab security tracker entries direct administrators to upgrade to the fixed releases listed above. The referenced HackerOne report and GitLab issue tracker entries confirm that the patches restore proper input handling for note content and that no additional configuration changes are required beyond applying the updates. The EPSS score has remained flat at its peak value with no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24516
Vulnerability details
Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.