CVE-2022-2533 An issue was discovered in GitLab before 12.10, 15.2, 15.3, and 15.4.

This issue was fixed in GitLab starting from 15.2.4. As a result, all the installations of these versions are vulnerable.

installation of these versions are vulnerable. For users of affected versions, it is recommended to upgrade as soon as possible.
Now let’s see what exactly happened and how to fix it. When you create an application in GitLab, you need to specify a unique name and also a unique package name.

This package name is what is stored in the Package Registry as soon as you create an application. So when you deploy an application, GitLab checks if it has already been deployed. If it has, it won’t create a new one.

This is the problem with this issue. When you restrict access to the Package Registry, GitLab won’t create new applications. As a result, restricted users won’t be able to deploy applications.

How to fix this issue? You can restrict access to the Package Registry in GitLab. You can do this by setting the following in the GitLab.com settings:

Go to Admin section of your GitLab.com account

In the Admin section, select Settings > Applications
Next to Your applications, click + Add application
In the Application type field, select Restricted. Choose a unique name for your application and then write a unique package name that you want to use. Then click Save application

Now you can deploy an application without being blocked by the Package Registry in GitLab.

Learning path for GitLab.com

1. Go to the "Settings" menu
2. Scroll down to "Package Registry"
3. Set the access level to "View and Edit Packages Only"

Configure GitLab.com settings to restrict access to the Package Registry

In GitLab.com, go to Settings > General and then click on the Site access option.
On the Sites tab, you can change the settings for this setting.

Set up GitLab.com with HTTPS

We recommend that you use HTTPS for GitLab.com for a more secure connection to the GitLab application.
Set up your server to use HTTPS.

Add the following line in gitlab.com file security: access-control: - package-registry

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 16:51:00 UTC

References

• https://gitlab.com/gitlab-org/gitlab/-/issues/363863
• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2533.json
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2533