Improper Authorization in GitLab CE/EE: Unauthorized Ownership Takeover in Downstream Pipelines

Improper Authorization in GitLab CE/EE: Unauthorized Ownership Takeover in Downstream Pipelines

CVE-2022-3706 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project.

Learn more about our User Device Pen Test.