We use cookies to improve your experience on our site.
AVID-2026-R0959
Description
Vulnerability CVE-2022-2185
Details
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.
Reason for inclusion in AVID: CVE-2022-2185 describes a remote code execution vulnerability in GitLab triggered by importing a malicious project. GitLab is widely used to manage AI/ML pipelines (CI/CD, artifact management, deployment). Exploitation could compromise AI software supply chains by injecting or executing malicious code during builds/deployments, affecting the software stack used to build, train, or serve general-purpose AI systems. This is a software-supply-chain-relevant vulnerability with clear exploit behavior (RCE) and supporting CVE details.
References
- NVD entry
- https://gitlab.com/gitlab-org/gitlab/-/issues/366088
- https://hackerone.com/reports/1609965
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2185.json
Affected or Relevant Artifacts
- Developer: GitLab
- Deployer: GitLab
- Artifact Details:
| Type | Name |
|---|---|
| System | GitLab |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Base Score | 9.9 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-07-01
- Version: 0.3.3
- AVID Entry