Cyber Resilience

CVE-2022-2992

CriticalPublic PoC

Published: 17 October 2022

Published
17 October 2022
Modified
14 May 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9119 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2992 is a critical-severity Injection (CWE-74) vulnerability in Gitlab Gitlab. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability tracked as CVE-2022-2992 affects GitLab Community Edition and Enterprise Edition in all versions from 11.10 up to but not including 15.1.6, as well as the 15.2.x and 15.3.x branches prior to 15.2.4 and 15.3.2 respectively. The flaw resides in the Import from GitHub API endpoint and permits an authenticated user to trigger remote code execution through unsafe deserialization, corresponding to CWE-74.

An attacker who already possesses a valid GitLab account can submit a crafted GitHub repository import request that results in arbitrary command execution on the server with the privileges of the GitLab application user, yielding full confidentiality, integrity, and availability impact across the instance.

Public advisories and the associated GitLab issue direct administrators to upgrade to one of the fixed releases (15.1.6, 15.2.4, or 15.3.2 or later) to eliminate the vulnerable code path; no other work-arounds are documented in the references.

The CVE carries a CVSS score of 9.9 and an EPSS score that has reached a peak of 0.9381 with a current value of 0.9119, while public exploit code and a detailed HackerOne report have been released.

EU & UK References

Vulnerability details

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
11.10 — 15.1.6 · 11.10 — 15.1.6 · 15.2 — 15.2.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References