CVE-2022-1940 – This is a stored cross-site scripting (XSS) vul... (How to Fix)

Q: What is the severity of CVE-2022-1940?

CVE-2022-1940 has a CVSS score of 7.7 (HIGH). This is a stored cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition's Jira integration. It allows attackers to inject malicious JavaScript into Jira issues that gets executed when viewed in GitLab, potentially compromising user sessions and performing actions on behalf of victims. All GitLab EE instances with Jira integration enabled are affected.

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition's Jira integration. It allows attackers to inject malicious JavaScript into Jira issues that gets executed when viewed in GitLab, potentially compromising user sessions and performing actions on behalf of victims. All GitLab EE instances with Jira integration enabled are affected.

💻 Affected Systems

Products:

GitLab Enterprise Edition

Versions: 13.11 to 14.9.4, 14.10 to 14.10.3, 15.0 to 15.0.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects GitLab EE instances with Jira integration configured and enabled. GitLab CE and instances without Jira integration are not vulnerable.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, perform unauthorized actions (like creating/deleting projects), and potentially pivot to other systems through compromised GitLab access.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions within GitLab by authenticated users viewing malicious Jira issues.

🟢

If Mitigated

Limited to JavaScript execution in victim's browser context with same-origin policy restrictions, but still dangerous for authenticated users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or modify Jira issues that sync with GitLab. The HackerOne report demonstrates working exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.9.5, 14.10.4, or 15.0.1

Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1940.json

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab EE 14.9.5, 14.10.4, or 15.0.1 depending on your current version track. 3. Restart GitLab services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Jira Integration

linux

Temporarily disable Jira integration in GitLab to prevent exploitation

gitlab-rails runner "ApplicationSetting.current.update(jira_integration_enabled: false)"

Restrict Jira Issue Creation

all

Limit who can create/modify Jira issues that sync with GitLab

🧯 If You Can't Patch

Disable Jira integration in GitLab settings immediately
Implement strict Content Security Policy (CSP) headers to limit script execution

🔍 How to Verify

Check if Vulnerable:

Check GitLab version and Jira integration status: gitlab-rails runner "puts Gitlab::VERSION; puts ApplicationSetting.current.jira_integration_enabled?"

Check Version:

cat /opt/gitlab/version-manifest.txt | grep gitlab-rails

Verify Fix Applied:

Verify version is 14.9.5+, 14.10.4+, or 15.0.1+ and test Jira issue rendering for XSS

📡 Detection & Monitoring

Log Indicators:

Unusual Jira issue creation/modification patterns
JavaScript errors or suspicious requests in GitLab logs

Network Indicators:

Unexpected outbound connections from GitLab to external domains

SIEM Query:

source="gitlab" AND ("jira" AND "issue") AND ("script" OR "javascript" OR "onerror" OR "onload")

📊 Metadata

CVE ID: CVE-2022-1940

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

Published: June 6, 2022

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1940.json Patch,Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/359142 Broken Link
https://hackerone.com/reports/1533976 Permissions Required
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1940.json Patch,Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/359142 Broken Link
https://hackerone.com/reports/1533976 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1940, you might also want to check these: