CVE-2022-2884
Published: 17 October 2022
Summary
CVE-2022-2884 is a critical-severity OS Command Injection (CWE-78) vulnerability in Gitlab Gitlab. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-2884 is an OS command injection vulnerability, tracked as CWE-78, that affects GitLab Community Edition and Enterprise Edition. It impacts all versions from 11.3.4 up to but not including 15.1.5, as well as the 15.2.x series through 15.2.3 and the 15.3.x series through 15.3.1. The flaw resides in the Import from GitHub API endpoint and carries a CVSS 3.1 score of 9.9.
An authenticated user can send a crafted request to the affected endpoint and obtain remote code execution on the GitLab instance with the privileges of the application user. Because the attack requires only low-privileged authenticated access and no user interaction, it can be performed over the network with limited effort.
Public references, including the official GitLab CVE record and the associated security issue, indicate that the vulnerability is resolved by upgrading to the fixed releases 15.1.5, 15.2.3, or 15.3.1 and later. A working proof-of-concept exploit has been published on Packet Storm, and the issue was originally reported through HackerOne.
EPSS for this CVE rose sharply from low values to a peak of 0.7478 on 2025-12-11 before receding to the current score of 0.3003, indicating a clear surge in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-35116
Vulnerability details
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.