CVE-2022-1111: 
GitLab vulnerability analysis and mitigation

A business logic error was identified in GitLab CE/EE's Project Import functionality, tracked as CVE-2022-1111. The vulnerability affects GitLab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7. Under certain conditions, this vulnerability caused imported projects to display incorrect user information in the 'Access Granted' column within project membership pages (NVD, CVE Mitre).

The vulnerability has been assigned a CVSS v3.1 base score of 2.7 (Low) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N. GitLab Inc. assessed it slightly lower at 2.4 (Low) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N. The CVSS v2.0 base score is 3.5 (Low) with a vector string of (AV:N/AC:M/Au:S/C:N/I:P/A:N) (NVD).

The vulnerability's impact is limited to displaying incorrect user information in the 'Access Granted' column of project membership pages for imported projects. This represents a low-severity information integrity issue that could potentially lead to confusion regarding project access permissions (NVD).

The vulnerability has been addressed in GitLab versions 14.9.2, 14.8.5, and 14.7.7. Users are advised to upgrade to these or later versions to resolve the issue. The fix has been confirmed in Debian's security tracker, where version 17.3.5-3 includes the necessary patches (Debian Tracker).