CVE-2022-0244: 
GitLab vulnerability analysis and mitigation

An arbitrary file read vulnerability was discovered in GitLab CE/EE affecting all versions starting with 14.5. The vulnerability, identified as CVE-2022-0244, allowed unauthorized access to read arbitrary files through the group import feature due to incorrect file handling. The issue was discovered in January 2022 and was promptly addressed in GitLab's security release (GitLab Release).

The vulnerability existed in GitLab's bulk imports API, specifically in the UploadsPipeline component. The issue stemmed from the system's failure to remove symlinks when processing the uploads.tar.gz file during group imports. When extracting uploaded files, the untar_zxf function only changed permissions without properly handling symlinks, allowing them to remain in the extracted file paths. This oversight meant that symlinks would be followed and used as content for new files during the import process (GitLab Issue).

The vulnerability allowed attackers to read any file that the git user had read access to on the GitLab server. This included sensitive files such as secrets.yml and other configuration files containing critical system information. The issue received a CVSS score of 8.6 (Critical severity) with the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (GitLab Release).

The vulnerability was patched in GitLab versions 14.6.2, 14.5.3, and 14.4.5. GitLab strongly recommended that all installations running affected versions be upgraded to the latest version immediately. The fix involved proper handling of symlinks during the group import process (GitLab Release).

The vulnerability was initially reported through GitLab's HackerOne bug bounty program by security researcher 'vakzz'. GitLab responded promptly by releasing security patches and assigning it a critical severity rating, demonstrating their commitment to addressing security issues (GitLab Release).