CVE-2022-0167: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not disabling the Autocomplete attribute of fields related to sensitive information making it possible to be retrieved under certain conditions (GitLab Security, CVE Mitre).

The vulnerability is classified as a low severity issue with a CVSS score of 3.1 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N). The issue relates to the autocomplete function implemented by browsers, which allows storing form field values for automatic population. This feature creates a security risk as sensitive user data such as usernames, passwords, and access tokens could be stored locally (GitLab Security).

Sensitive data such as usernames, passwords, and access tokens could be retrieved locally via the browser's history if the local user's system is compromised. This vulnerability affects multiple pages including password reset, sign-in, sign-up, and user confirmation pages (GitLab Issue).

The vulnerability has been fixed in GitLab versions 14.4.5, 14.5.3, and 14.6.2. The recommended mitigation is to upgrade to one of these patched versions immediately. For forms containing sensitive information, the autocomplete option should be disabled on both the form and the sensitive fields (GitLab Security).

The vulnerability was discovered internally by the GitLab team and was addressed in a scheduled security release. GitLab.com was promptly updated to run the patched version (GitLab Security).