CVE-2022-3767

Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3767.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/377473	Exploit Issue Tracking Patch Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3767.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/377473	Exploit Issue Tracking Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gitlab:dynamic_application_security_testing_analyzer:*:*:*:*:*:*:*:*

History

28 Feb 2025, 18:15

Type	Values Removed	Values Added
CWE		CWE-20

Information

Published : 2023-03-09 23:15

Updated : 2025-02-28 18:15

NVD link : CVE-2022-3767

Mitre link : CVE-2022-3767

CVE.ORG link : CVE-2022-3767

JSON object : View

Products Affected

gitlab

dynamic_application_security_testing_analyzer

CWE

NVD-CWE-noinfo CWE-20

Improper Input Validation

{"id": "CVE-2022-3767", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-03-09T23:15:10.833", "references": [{"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3767.json", "tags": ["Vendor Advisory"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/377473", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3767.json", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/377473", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host."}], "lastModified": "2025-02-28T18:15:25.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:dynamic_application_security_testing_analyzer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E20C5474-8A19-45AE-AF93-3628DCD74B63", "versionEndExcluding": "3.0.32", "versionStartIncluding": "1.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}