Unrated severityNVD Advisory· Published Jan 12, 2023· Updated Apr 8, 2025

CVE-2022-4037

Description

An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: <15.5.7, >=15.6 <15.6.4, >=15.7 <15.7.2
osv-coords
pkg:bitnami/gitlab
Range: < 15.5.7
GitLab Inc./GitLabv5
Range: >=0.0, <15.5.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4037.jsonmitre
gitlab.com/gitlab-org/gitlab/-/issues/382957mitre
hackerone.com/reports/1772543mitre

News mentions

Smashing the state machine: the true potential of web race conditions
PortSwigger Research · Aug 9, 2023

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000