CVE-2021-22224: 
GitLab vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability was identified in GitLab's GraphQL API (CVE-2021-22224). The vulnerability affects GitLab versions since 13.12 and before versions 13.12.6 and 14.0.2. This security issue was disclosed on July 7, 2021, allowing attackers to execute mutations as the victim through the GraphQL API (MITRE CVE, NVD).

The vulnerability stems from improper CSRF protection in GitLab's GraphQL API endpoint. Specifically, when sending GET requests, the backend did not enforce the X-CSRF-Token header verification, which is normally required for POST requests. This oversight in the security implementation allowed attackers to bypass the existing CSRF protection mechanisms. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) by NIST and 7.1 (High) by GitLab Inc., with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows attackers to execute unauthorized mutations through the GraphQL API by bypassing CSRF protections. When exploited, attackers could perform actions on behalf of authenticated users, such as creating snippets or executing other GraphQL mutations without the victim's knowledge or consent (GitLab Issue).

The vulnerability has been fixed in GitLab versions 13.12.6 and 14.0.2. Users are advised to upgrade to these or later versions to protect against this CSRF vulnerability (MITRE CVE).