CVE-2022-3572
Published: 26 January 2023
Summary
CVE-2022-3572 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A reflected cross-site scripting vulnerability exists in GitLab CE/EE, affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. The flaw resides in the Jira Connect integration configuration and is tracked as CWE-79, enabling injection of arbitrary script that executes in the victim's browser context.
An unauthenticated attacker can supply a crafted payload when the integration settings are accessed, resulting in a reflected XSS that allows arbitrary actions on behalf of the victim. The CVSS 9.3 score reflects a network vector with low attack complexity, required user interaction, and changed scope that yields high confidentiality and integrity impact.
References from GitLab's CVE repository and issue tracker, along with the associated HackerOne report, indicate that the issue is resolved by upgrading to the fixed releases listed above. The EPSS score has remained near 0.10 with only minor fluctuation between its current value of 0.1021 and peak of 0.1125.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42936
Vulnerability details
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration…
more
which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.