GitLab CE/EE Access Token Leakage Vulnerability (CVE-2022-2882)

GitLab CE/EE is an integrated software development platform based on Git. A sensitive information leakage vulnerability exists in certain versions, where an authenticated attacker (e.g., a maintainer) can modify the integration URL to send authenticated requests to a server under the attacker’s control, thereby obtaining the GitHub integration access token.

Vulnerability Name

GitLab Access Token Leakage Vulnerability

Vulnerability Type

Exposing resources to the wrong scope

Discovery Date

2022-10-29

Impact Breadth

Wide

MPS Number

MPS-2022-55621

CVE Number

CVE-2022-2882

CNVD Number

-

The vulnerability affects all versions of GitLab. Specific affected ranges include:

GitLab Community: versions <15.4, ≥15.4.1

GitLab Community: versions ≥15.4 and <15.4.1

GitLab Community: versions ≥15.3 and <15.3.4

GitLab Community: versions ≥12.6 and <15.2.5

GitLab Enterprise: versions ≥15.3 and <15.3.4

GitLab Enterprise: versions ≥12.6 and <15.2.5

GitLab Enterprise: versions ≥15.4 and <15.4.1

Remediation steps are to upgrade the affected components to patched versions:

Upgrade GitLab Community to version 15.2.5 or later.

Upgrade GitLab Enterprise to version 15.3.4 or later.

Upgrade GitLab Enterprise to version 15.2.5 or later.

Upgrade GitLab Enterprise to version 15.4.1 or later.

Upgrade GitLab Community to version 15.3.4 or later.

Upgrade GitLab Community to version 15.4.1 or later.