CVE-2022-2630 An access control issue in GitLab CE/EE older than 15.2.4 and 15.3.2 that allows disclosure of confidential information via the Incident timeline events.

This issue has been fixed in GitLab 15.3.3. To upgrade your installation, follow these steps: In the main menu, click Upgrade In the Upgrade Guide section, click upgrade from GitLab version to version

This issue has been fixed in GitLab EE/EE+. To upgrade your installation, follow these steps: In the main menu, click Upgrade In the Upgrade Guide section, click upgrade from GitLab version to version

Impact: Access to the Incidents timeline is possible for all users, even if those users do not have permission to view other team members’ timelines.

An improper access control issue in GitLab EE/EE+ affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident details.

Impact: Access to the Incident details is possible for all users, even if those users do not have permission to view other team members’ details.

An improper access control issue in GitLab EE/EE+ affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident details.

Impact: Access to the Incident details is possible for all users, even if those users do not have permission to view other team members’ details.

An improper access control issue in GitLab

GitLab Core Issue

A vulnerability in GitLab EE/EE+ before 15.2.4, all versions from 15.3 before 15.3.2 could allow disclosure of confidential information via the Incident details by adding or removing a user to a project that has permission level "Private".

Isolation of the issue has begun .

This issue has been fixed in GitLab EE/EE+. To upgrade your installation, follow these steps: In the main menu, click Upgrade In the Upgrade Guide section, click upgrade from GitLab version to version

How to verify if you are affected

An improper access control issue in GitLab EE/EE+ affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident details.

Impact: Access to the Incidents timeline is possible for all users, even if those users do not have permission to view other team members’ timelines.

GitLab version and update history

GitLab EE/EE+ 15.2 introduced
GitLab EE/EE+ 15.3 introduced
GitLab 15.3 introduced
GitLab EE/EE+ 5.3 introduced
GitLab EE/EE+ 5.4 introduced
GitLab EE/EE+ 6.0 introduced

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 18:00:00 UTC

References

• https://gitlab.com/gitlab-org/gitlab/-/issues/369429
• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2630.json
• https://hackerone.com/reports/1652853
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2630