id: CVE-2022-2185

info:
  name: GitLab CE/EE - Import RCE
  author: GitLab Red Team
  severity: high
  description: A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.
  reference:
    - https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
    - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2185.json
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2185
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-2185
    cwe-id: CWE-732
  metadata:
    shodan-query: http.title:"GitLab"
  tags: cve,cve2022,gitlab

requests:
  - method: GET
    path:
      - "{{BaseURL}}/users/sign_in"

    redirects: true
    max-redirects: 3
    matchers:
      - type: word
        words:
          - "003236d7e2c5f1f035dc8b67026d7583ee198b568932acd8faeac18cec673dfa"
          - "1062bbba2e9b04e360569154a8df8705a75d9e17de1a3a9acd5bd20f000fec8b"
          - "1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8"
          - "1ae98447c220181b7bd2dfe88018cb6e1b1e4d12d7b8c224d651a48ed2d95dfe"
          - "1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7"
          - "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
          - "2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be"
          - "301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0"
          - "383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7"
          - "4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7"
          - "50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9"
          - "515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe"
          - "57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de"
          - "5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4"
          - "5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f"
          - "6a58066d1bde4b6e661fbd5bde83d2dd90615ab409b8c8c36e04954fbd923424"
          - "6eb5eaa5726150b8135a4fd09118cfd6b29f128586b7fa5019a04f1c740e9193"
          - "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
          - "739a920f5840de93f944ec86c5a181d0205f1d9e679a4df1b9bf5b0882ab848a"
          - "775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df"
          - "7d0792b17e1d2ccac7c6820dda1b54020b294006d7867b7d78a05060220a0213"
          - "8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353"
          - "90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159"
          - "95ae8966ec1e6021f2553c7d275217fcfecd5a7f0b206151c5fb701beb7baf1e"
          - "a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d"
          - "a6d68fb0380bece011b0180b2926142630414c1d7a3e268fb461c51523b63778"
          - "a743f974bacea01ccc609dcb79247598bd2896f64377ce4a9f9d0333ab7b274e"
          - "a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2"
          - "ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1"
          - "c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209"
          - "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
          - "e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee"
          - "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
          - "ff058b10a8dce9956247adba2e410a7f80010a236b2269fb53e0df5cd091e61d"
        condition: or

    extractors:
      - type: regex
        group: 1
        regex:
          - '(?:application-)(\S{64})(?:\.css)'