Cyber Resilience

CVE-2022-1175

HighPublic PoC

Published: 04 April 2022

Published
04 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.1032 93.4th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1175 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-1175 is a cross-site scripting vulnerability arising from improper neutralization of user input, tracked as CWE-79. It affects GitLab Community Edition and Enterprise Edition in versions 14.4 prior to 14.7.7, all releases from 14.8 prior to 14.8.5, and all releases from 14.9 prior to 14.9.2. The flaw permits an attacker to inject HTML into notes, which is then rendered without adequate sanitization.

An authenticated user with permission to add notes can supply crafted HTML that executes in the context of other users who view the affected content. Because the CVSS vector includes a scope change and high impact on confidentiality and integrity, successful exploitation can lead to session hijacking, privilege escalation within the GitLab instance, or theft of sensitive project data.

Public advisories and the associated GitLab security tracker entries direct administrators to upgrade to the fixed releases listed above. The referenced HackerOne report and GitLab issue tracker entries confirm that the patches restore proper input handling for note content and that no additional configuration changes are required beyond applying the updates. The EPSS score has remained flat at its peak value with no material post-disclosure rise.

EU & UK References

Vulnerability details

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
14.4.0 — 14.7.7 · 14.4.0 — 14.7.7 · 14.8.0 — 14.8.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References