Missing Validation in DAST Analyzer Affects GitLab Products
CVE-2022-3767

7.7HIGH

Key Information:

Vendor: Gitlab
Status: Dast
Vendor: CVE Published:; 9 March 2023

Summary

A critical security flaw exists in the DAST analyzer in GitLab that allows for missing validation of custom request headers. This vulnerability affects all versions of the DAST analyzer starting from 1.11.0 up to, but not including, 3.0.32. Attackers can exploit this flaw by sending malicious request headers, potentially affecting the behavior of the application and impacting the security of the host.

Affected Version(s)

DAST >=1.11, <3.0.32

References

https://gitlab.com/gitlab-org/gitlab/-/issues/377473

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 9, 2023
Vulnerability Reserved
Oct 31, 2022

Collectors

NVD DatabaseMitre Database

Credit

This vulnerability has been discovered internally by the GitLab team