Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 891253 (CVE-2022-2251) - dev-util/gitlab-runner: user jumping vulnerability
Summary: dev-util/gitlab-runner: user jumping vulnerability
Alias: CVE-2022-2251
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [ebuild]
Depends on:
Reported: 2023-01-18 00:21 UTC by John Helmert III
Modified: 2023-01-18 00:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-18 00:21:44 UTC
CVE-2022-2251 (

Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that other user.

I suppose we can only trust the CVE description here, so please bump to 15.4.4, 15.5.2.