Attacker Value

High

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2022-2992

Disclosure Date: October 17, 2022 •

CVE-2022-2992 CVSS v3 Base Score: 9.9

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Initial Access

Techniques

Validation

Exploit Public-Facing Application

Validated

Metasploit Module

exploit/multi/http/gitlab_github_import_rce_cve_2022_2992

Description

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

Add Assessment

space-r7 (143)

December 14, 2022 3:12pm UTC (1 year ago)•Edited 1 year ago

Ratings

Attacker Value

High

Exploitability

High

Easy to weaponize Vulnerable in default configuration Authenticated

Technical Analysis

Rating this as a high-value vulnerability for attackers. This does require auth to exploit, either via user credentials or a personal access token. This could either be done with stolen credentials or by creating an account if that is permitted on the target instance. Exploitation appears to be straightforward; initiate a repository import which contains the payload / RESP message and get a shell. The only caveat here is that the repository needs to be publicly available to the Gitlab instance.

The Hackerone report goes into more detail on how the RESP message actually gets executed. This one is important to patch.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.9 Critical

Impact Score:

Exploitability Score:

3.1

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

gitlab

Products

gitlab

Metasploit Modules

exploit/multi/http/gitlab_github_import_rce_cve_2022_2992 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitlab_github_import_rce_cve_2022_2992.rb)

References

Canonical

CVE-2022-2992 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2992)

Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2022-2992 (https://github.com/Malwareman007/CVE-2022-2992) (Added by AKB Worker)

CVE-2022-2992 (https://github.com/CsEnox/CVE-2022-2992) (Added by AKB Worker)

Miscellaneous

https://gitlab.com/gitlab-org/gitlab/-/issues/371884

https://hackerone.com/reports/1679624

http://packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-Remote-Code-Execution.html

Write-Up (https://blog.redwaysecurity.com/2023/04/exploit-para-o-cve-2022-2992.html)

Rapid7

High

CVE-2022-2992

High

High

None

Low

Network

CVE-2022-2992

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Advisory

Exploit

Miscellaneous

Additional Info

Technical Analysis

High

CVE-2022-2992

High

High

None

Low

Network

CVE-2022-2992

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Advisory

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification