CVE-2022-3870

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

History

09 Apr 2025, 14:15

Type Values Removed Values Added
CWE CWE-200
References () https://gitlab.com/gitlab-org/gitlab/-/issues/381647 - Broken Link () https://gitlab.com/gitlab-org/gitlab/-/issues/381647 - Broken Link

21 Nov 2024, 07:20

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en GitLab CE/EE que afecta a todas las versiones desde 10.0 anteriores a 15.5.7, todas las versiones desde 15.6 anteriores a 15.6.4, todas las versiones desde 15.7 anteriores a 15.7.2. GitLab permite a los usuarios no autenticados descargar avatares de usuario utilizando la identificación de usuario de la víctima, en instancias privadas que restringen la visibilidad a nivel público.
References () https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3870.json - Vendor Advisory () https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3870.json - Vendor Advisory
References () https://gitlab.com/gitlab-org/gitlab/-/issues/381647 - Broken Link () https://gitlab.com/gitlab-org/gitlab/-/issues/381647 - Broken Link
References () https://hackerone.com/reports/1753423 - Permissions Required, Third Party Advisory () https://hackerone.com/reports/1753423 - Permissions Required, Third Party Advisory

Information

Published : 2023-01-12 04:15

Updated : 2025-04-09 14:15


NVD link : CVE-2022-3870

Mitre link : CVE-2022-3870

CVE.ORG link : CVE-2022-3870


JSON object : View

Products Affected

gitlab

  • gitlab
CWE
NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor