CVE-2022-4167

Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json	Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/367740	Broken Link
https://gitlab.com/gitlab-org/gitlab/-/issues/367740	Broken Link

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

08 Apr 2025, 17:15

Type	Values Removed	Values Added
References	~~(CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json - Vendor Advisory~~	() https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json - Vendor Advisory
References	~~(MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/367740 - Broken Link~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/367740 - Broken Link

Information

Published : 2023-01-12 04:15

Updated : 2025-04-08 17:15

NVD link : CVE-2022-4167

Mitre link : CVE-2022-4167

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-863

Incorrect Authorization

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json", "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json", "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/367740", "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/367740", "tags": ["Broken Link"], "refsource": ""}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/367740", "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/367740", "tags": ["Broken Link"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-863"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-4167", "ASSIGNER": "cve@gitlab.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2023-01-12T04:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "15.7.2", "versionStartIncluding": "15.7.0"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "15.6.4", "versionStartIncluding": "15.6.0"}, {"cpe23Uri": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "15.5.7", "versionStartIncluding": "13.11.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-04-08T17:15Z"}