CVE-2022-3767

CVE Database · CVE-2022-3767

CVE-2022-3767

· HIGHModified

CVSS v3.1

7.7

EPSS

0.75%

Published

Mar 9, 2023

Modified

Feb 28, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Weaknesses (CWE)

CWE-20

Affected Products (1)

gitlab · dynamic_application_security_testing_analyzer (up to 3.0.32)vulnerable

References (4)

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3767.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/377473

ExploitIssue TrackingPatch

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3767.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/377473

ExploitIssue TrackingPatch

KEV Catalog EPSS Scores Vendors All CVEs