Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.

The version of GitLab installed on the remote host is affected by a vulnerability, as follows:

  - Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior     to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group     owner loses the ability to revoke them. (CVE-2022-4167)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of GitLab installed on the remote host is prior to 15.5.7, 15.6.4, 15.7.2. It is, therefore, affected by an improper authorization vulnerability as referenced in the SECURITY-RELEASE-GITLAB-15-7-2-RELEASED advisory.

  - Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior     to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group     owner loses the ability to revoke them. (CVE-2022-4167)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 3a023570-91ab-11ed-8950-001b217b3468 advisory.

  - Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior     to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group     owner loses the ability to revoke them. (CVE-2022-4167)

  - An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all     versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may     cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser.
    (CVE-2022-3514)

  - An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all     versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the     improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary     JavaScript on the self-hosted instances running without strict CSP. (CVE-2022-3573)

  - An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting     from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A crafted Prometheus Server query     can cause high resource consumption and may lead to Denial of Service. (CVE-2022-3613)

  - An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all     versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows     unauthenticated users to download user avatars using the victim's user ID, on private instances that     restrict public level visibility. (CVE-2022-3870)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3173 advisory.

  - A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that     allows local users to create files for the XFS file-system with an unintended group ownership and with     group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a     certain group and is writable by a user who is not a member of this group. This can lead to excessive     permissions granted in case when they should not. This vulnerability is similar to the previous     CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)

  - A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root     (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD     CPU that supports Secure Encrypted Virtualization (SEV). (CVE-2022-0171)

  - A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub-     component. This flaw allows a local attacker with a user privilege to cause a denial of service.
    (CVE-2022-1184)

  - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user     forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local     user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)

  - In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free.
    This could lead to local escalation of privilege with no additional execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-239630375References: Upstream kernel (CVE-2022-20421)

  - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race     condition. This could lead to local escalation of privilege with no additional execution privileges     needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid     ID: A-237540956References: Upstream kernel (CVE-2022-20422)

  - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it     possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This     flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel     oops condition that results in a denial of service. (CVE-2022-2153)

  - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and     incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted     IRC with nf_conntrack_irc configured. (CVE-2022-2663)

  - An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the     bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to     gain unauthorized access to data. (CVE-2022-2905)

  - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)     when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to     potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read     and copying it into a socket. (CVE-2022-3028)

  - Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver     through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by     zero error. (CVE-2022-3061)

  - There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a     waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before     the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free     to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We     recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659 (CVE-2022-3176)

  - A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead     to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or     member of the audio group) could use this flaw to crash the system, resulting in a denial of service     condition (CVE-2022-3303)

  - A flaw was found in the Linux kernel's networking code. A use-after-free was found in the way the sch_sfb     enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed)     into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of     service. (CVE-2022-3586)

  - A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function     nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads     to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a     patch to fix this issue. The identifier of this vulnerability is VDB-211920. (CVE-2022-3621)

  - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function     devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The     manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier     VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)

  - A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects     the function vsock_connect of the file net/vmw_vsock/af_vsock.c of the component IPsec. The manipulation     leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier     assigned to this vulnerability. (CVE-2022-3629)

  - A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function     j1939_session_destroy of the file net/can/j1939/transport.c of the component IPsec. The manipulation leads     to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability     is VDB-211932. (CVE-2022-3633)

  - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue     is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation     leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the     identifier assigned to this vulnerability. (CVE-2022-3635)

  - A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects     the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The     manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a     patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability. (CVE-2022-3646)

  - A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function     nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after     free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue.
    The identifier of this vulnerability is VDB-211992. (CVE-2022-3649)

  - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race     condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale     TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)

  - An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of     service can occur upon binding to an already bound chain. (CVE-2022-39190)

  - An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in     drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an     integer overflow and bypassing the size check. After that, because it is used as the third argument to     copy_from_user(), a heap overflow may occur. (CVE-2022-39842)

  - An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a     race condition with a resultant use-after-free. (CVE-2022-40307)

  - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is     not held during a PUD move. (CVE-2022-41222)

  - An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could     cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. (CVE-2022-41674)

  - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through     5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and     potentially execute code. (CVE-2022-42719)

  - Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through     5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-     free conditions to potentially execute code. (CVE-2022-42720)

  - A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before     5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in     turn, potentially execute code. (CVE-2022-42721)

  - In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the     mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon     protection of P2P devices. (CVE-2022-42722)

  - drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-     space client to corrupt the monitor's internal memory. (CVE-2022-43750)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
187610	GitLab 13.11 < 15.5.7 / 15.6 < 15.6.4 / 15.7 < 15.7.2 (CVE-2022-4167)	Nessus	CGI abuses	high
171164	GitLab < 15.5.7 / 15.6 < 15.6.4 / 15.7 < 15.7.2 (CVE-2022-4167)	Nessus	CGI abuses	high
169892	FreeBSD : Gitlab -- Multiple Vulnerabilities (3a023570-91ab-11ed-8950-001b217b3468)	Nessus	FreeBSD Local Security Checks	high
166822	Debian DLA-3173-1 : linux-5.10 - LTS security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2022-4167

high

Tenable Plugins

high

high

high

critical