CVE-2022-3330 An inaccessible note in Gitlab CE/EE can affect all versions 15.0-15.2.5, 15.3-15.3.4, and 15.4-15.4.1.

This issue has been fixed in 15.2.6, 15.3.5, and 15.4.0. Upgrading to one of these versions is strongly advised. It was possible for a user with the “Manage team members” permission to see other teams’ notes and be invited to them. This was fixed in Gitlab 15.0 and later.

This issue has been fixed in 15.2.6, 15.3.5, and 15.4.0. Upgrading to one of these versions is strongly advised. It was possible for a user with the “Manage team members” permission to see other teams’ notes and be invited to them. This was fixed in Gitlab 15.0 and later. It was possible for a user with the “Create issues” permission to create an issue targeting an inaccessible note in Gitlab EE/EEA. This issue has been fixed in 15.3.4 and later. Upgrading to one of these versions is strongly advised.

General Information about CVE-2022-3330

CVE-2022-3330 is a vulnerability in Gitlab EE/EEA, which could allow an attacker to access private notes. A user with the “Manage team members” permission could see other teams’ notes and be invited to them. This was fixed in Gitlab 15.0 and later. In Gitlab EE/EEA, it was possible for a user with the “Create issues” permission to create an issue targeting an inaccessible note. This issue has been fixed in 15.3.4 and later. Upgrading to one of these versions is strongly advised.

What to do if you are currently running an older version of Gitlab

Upgrading to one of these versions is strongly advised. It was possible for a user with the “Create issues” permission to create an issue targeting an inaccessible note in Gitlab EE/EEA. This issue has been fixed in 15.3.4 and later. Upgrading to one of these versions is strongly advised. If you are currently running a version of Gitlab older than 15.2.7 and you have already received this warning, then it’s likely that your company has already upgraded to the latest version of Gitlab or will be automatically upgraded soon by our auto-update mechanism. If not, then please upgrade as soon as possible and follow these instructions:

GitLab upgrade instructions

Gitlab CI/CD:

The Basics
Gitlab Continuous Integration (CI) is the process of automatically testing and building your project’s code every time you push a change. With Gitlab CI, you can run the tests for your project in parallel across multiple environments, increasing the reliability of your software. And with Gitlab Continuous Delivery (CD), you can automate deployments to any environment, from staging servers to production servers, including Docker containers!

Gitlab CI/CD: The Basics

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/20/2022 14:32:00 UTC

References

• https://gitlab.com/gitlab-org/gitlab/-/issues/365827
• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3330.json
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3330