CVE-2022-4167

Description

Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them.

How to fix CVE-2022-4167

To remediate CVE-2022-4167, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 15.5.7 or later

Is CVE-2022-4167 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 13.11.0, < 15.5.7, >= 15.6.0, < 15.6.4, >= 15.7.0, < 15.7.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)

WEBgitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4167.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/367740
WEBnvd.nist.gov/vuln/detail/CVE-2022-4167