CVE-2021-22260: 
GitLab vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was identified in GitLab's DataDog integration, tracked as CVE-2021-22260. The vulnerability affects all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2. This security flaw was discovered and reported through GitLab's bug bounty program on HackerOne (GitLab Issue, CVE Mitre).

The vulnerability exists in the DataDog integration's API key URL generation functionality. The apikeysurl method does not properly sanitize the datadog_site parameter before rendering it in the interface. This oversight allows for the injection of malicious JavaScript code through the Datadog site field in the integration settings (GitLab Issue).

When successfully exploited, this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. The vulnerability specifically affects maintainers and owners of GitLab projects who have access to the DataDog Integration settings (GitLab Issue).

The vulnerability has been fixed in GitLab versions 14.0.9, 14.1.4, and 14.2.2. Users are advised to upgrade to these or newer versions to protect against this vulnerability. The fix involves proper sanitization of the datadog_site parameter in the DataDog integration (Debian Tracker).