CVE-2022-2227 In versions prior to 15.0.4 and 15.1.1, improper access control in the runner jobs API allows a previous maintainer of a project to access job and project meta data.

or when their git user name matches the previous maintainer’s name. This can lead to sensitive data such as the private keys of encrypted repository objects being exposed to the public. Note that access to meta data cannot be used to access project data or run jobs, only view meta data. Access to the runner jobs API through improper means can lead to data being exposed or altered, which consequently can lead to a security incident. This can be mitigated by ensuring that access to the runner jobs API is restricted to only those users who have a legitimate reason to access this data. PR 18585

Impaired access control for the Runner Jobs API in GitLab EE/EE affecting all versions prior to 15.0.5, 15.1 prior to 15.1.2, and 16.0 prior to 16.0.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions
Incorrect access control for the Runner Jobs API in GitLab EE/EE affecting all versions prior to 15.0.5, 15.1 prior to 15.1.2, and 16.0 prior to 16.0.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions
Incorrect access control for the Runner Jobs API in GitLab EE/EE affecting all versions prior to 15.0.5, 15.1 prior to 15.1.2,

What is the Runner Jobs API?

The Runner Jobs API provides a way for GitLab to manage jobs and projects on behalf of users. It provides an interface for running jobs as well as viewing project meta data, such as information about the maintainer of a project. GitLab has implemented access control for the Runner Jobs API based on two separate criteria:
-      The user using the task or project is a designated owner
-     The user using the task or project matches the previous maintainer’s name

Fixed in version 15.0.5

, 15.1 prior to 15.1.2, and 16.0 prior to 16.0.1

13.2.1 Runner Jobs API in GitLab EE/EE

Impaired access control for the Runner Jobs API in GitLab EE/EE affecting all versions prior to 15.0.5, 15.1 prior to 15.1.2, and 16.0 prior to 16.0.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions
Incorrect access control for the Runner Jobs API in GitLab EE/EE affecting all versions prior to 15.0.5, 15.1 prior to 15.1.2, and 16.0 prior to 16.0.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions

Timeline

Published on: 07/01/2022 16:15:00 UTC
Last modified on: 07/08/2022 17:38:00 UTC

References

• https://hackerone.com/reports/1092199
• https://gitlab.com/gitlab-org/gitlab/-/issues/300842
• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2227.json
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2227