What is CVE-2022-2992?

CVE-2022-2992 is a critical-severity vulnerability in Gitlab. CVSS score: 9.9/10. Published 2022-10-17.

How severe is CVE-2022-2992?

Critical severity. CVSS v3 base score is 9.9 out of 10.

Is CVE-2022-2992 known to be exploited?

25 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Gitlab

CVE-2022-2992

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

EPSS: 0.912 (99.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Gitlab — versions >=11.10, <15.1.6, >=15.2, <15.2.4, >=15.3, <15.3.2

Public proof-of-concept exploits

CsEnox/CVE-2022-2992
Malwareman007/CVE-2022-2992
rapid7/metasploit-framework
Awrrays/FrameVul
CVEDB/awesome-cve-repo
CVEDB/top
GhostTroops/TOP
NinVoido/nto2024-p7d-writeups
SYRTI/POC_
SnailDev/github-hot-hub

References

gitlab.com/gitlab-org/gitlab/-/issues/371884
hackerone.com/reports/1679624
gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2992.json
packetstormsecurity.com/files/171008/GitLab-GitHub-Repo-Import-Deserialization-…

Frequently asked questions

What is CVE-2022-2992?: CVE-2022-2992 is a critical-severity vulnerability in Gitlab. CVSS score: 9.9/10. Published 2022-10-17.
How severe is CVE-2022-2992?: Critical severity. CVSS v3 base score is 9.9 out of 10.
Is CVE-2022-2992 known to be exploited?: 25 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.