CVE-2022-1406: 
GitLab vulnerability analysis and mitigation

CVE-2022-1406 is a security vulnerability discovered in GitLab CE/EE affecting all versions from 8.12 prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0. The vulnerability was disclosed on May 2, 2022, and involves improper input validation that allows a Developer to read protected Group or Project CI/CD variables by importing a malicious project (GitLab Release).

The vulnerability is classified as an improper input validation issue (CWE-20). It has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high confidentiality impact (NVD).

The vulnerability allows a user with Developer privileges to read protected Group or Project CI/CD variables, which are typically meant to be restricted. This could lead to unauthorized access to sensitive configuration data and credentials (GitLab Release).

The vulnerability has been fixed in GitLab versions 14.8.6, 14.9.4, and 14.10.1. Organizations are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com was already running the patched version at the time of disclosure (GitLab Release).