CVE-2022-3291

Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json	Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/354299	Broken Link Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/354299	Broken Link Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

13 May 2025, 16:15

Type	Values Removed	Values Added
References	~~(CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json - Vendor Advisory~~	() https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json - Vendor Advisory
References	~~(MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/354299 - Broken Link, Vendor Advisory~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/354299 - Broken Link, Vendor Advisory

Information

Published : 2022-10-17 16:15

Updated : 2025-05-13 16:15

NVD link : CVE-2022-3291

Mitre link : CVE-2022-3291

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-502

Deserialization of Untrusted Data

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json", "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json", "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3291.json", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/354299", "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/354299", "tags": ["Broken Link", "Vendor Advisory"], "refsource": ""}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/354299", "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/354299", "tags": ["Broken Link", "Vendor Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-502"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-3291", "ASSIGNER": "cve@gitlab.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2022-10-17T16:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "15.4.1", "versionStartIncluding": "15.4"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "15.3.4", "versionStartIncluding": "15.3"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "15.2.5", "versionStartIncluding": "14.9"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-05-13T16:15Z"}