CVE-2022-0154: 
GitLab vulnerability analysis and mitigation

GitLab was discovered to have a vulnerability (CVE-2022-0154) affecting all versions from 7.7 before 14.4.5, versions 14.5.0 before 14.5.3, and versions 14.6.0 before 14.6.2. The vulnerability was related to a Cross-Site Request Forgery (CSRF) attack that allowed malicious users to have their GitHub project imported on another GitLab user account. The issue was disclosed on January 11, 2022, and affected both GitLab Community Edition (CE) and Enterprise Edition (EE) (GitLab Release, CERT-EU).

The vulnerability was classified as a high severity issue with a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The core issue stemmed from the lack of a state parameter in the GitHub import project OAuth functionality, which made it susceptible to Cross-Site Request Forgery attacks. The vulnerability was categorized under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allowed attackers to connect their GitHub account to a victim's GitLab import project function indefinitely. Once exploited, there was no option to disconnect the GitHub account from this function, potentially leading to unauthorized project imports and account manipulation (CERT-EU).

The vulnerability was patched in GitLab versions 14.6.2, 14.5.3, and 14.4.5. Users were strongly recommended to upgrade to these versions immediately. GitLab.com was already running the patched version at the time of disclosure (GitLab Release).

The vulnerability was initially reported through GitLab's HackerOne bug bounty program by researcher aryan2808. GitLab addressed this security issue as part of their regular security release cycle, demonstrating their commitment to maintaining strong security standards (GitLab Release).