CVE-2022-2761: An Information Disclosure Issue in GitLab CE/EE Affecting Versions 14.4 Prior to 15.3.5, 15.4 Prior to 15.4.4, and 15.5 Prior to 15.5.2

---
The Common Vulnerabilities and Exposures (CVE) has identified a new information disclosure issue, identified as CVE-2022-2761, in GitLab Community Edition (CE) and Enterprise Edition (EE). This vulnerability affects all versions of GitLab starting from 14.4, but it has been fixed in the latest versions 15.3.5, 15.4.4, and 15.5.2. We will discuss the details of this vulnerability, along with the code snippet that triggers it, and the links to original references.

Details

---
CVE-2022-2761 is an information disclosure vulnerability that exploits GitLab's integration with Jira, a popular project management and issue tracking software. In the vulnerable versions, an attacker can use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they should not have access to, potentially gaining unauthorized access to sensitive information.

Code Snippet

---

Here's an example of a GFM reference that leads to the information disclosure

[Link to a private resource](gitlab-project-url/RESOURCE_NAME)

In this example, an attacker includes a GFM reference in a Jira issue, linking to the GitLab resource they don't have access to. When a user with the appropriate permissions views this Jira issue, their GitLab username and personal access token (PAT) may be used to make a request to display the resource. As a result, the resource's name is disclosed, even if the attacker does not have the necessary permissions to access it.

Exploit Details

---

To exploit this vulnerability, an attacker could

1. Insert a specially crafted GFM reference in a Jira issue comment, targeting the GitLab resource they don't have access to.
2. Wait for a user who has the necessary permissions to view the Jira issue and trigger the GitLab request.
3. Obtain the names of sensitive resources from the response, even if the attacker does not have the required permissions.

---
To learn more about this vulnerability and the fixes applied, you can read the following original references:

1. CVE-2022-2761 GitLab Advisory
2. GitLab 15.3.5 Release Notes
3. GitLab 15.4.4 Release Notes
4. GitLab 15.5.2 Release Notes

Conclusion

---
CVE-2022-2761 is a serious information disclosure issue that affects GitLab CE and EE versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. To protect your GitLab instances from this vulnerability, it is recommended to update them to the latest security release. Remember to follow best practices for application security and always stay up-to-date on the latest vulnerabilities and fixes.

Timeline

Published on: 11/09/2022 23:15:00 UTC
Last modified on: 11/11/2022 00:53:00 UTC