CVE-2022-1460: 
GitLab vulnerability analysis and mitigation

An authorization vulnerability was discovered in GitLab affecting all versions from 9.2 before 14.8.6, versions from 14.9 before 14.9.4, and versions from 14.10 before 14.10.1. The vulnerability was identified and tracked as CVE-2022-1460. The core issue stemmed from GitLab not performing correct authorizations on scheduled pipelines, which could allow a malicious user to run a pipeline in the context of another user (MITRE CVE, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.9 (MEDIUM) by NIST with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, while GitLab Inc. assessed it with a score of 6.1 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N. The vulnerability is classified under CWE-863 (Incorrect Authorization). The issue specifically affects both Community and Enterprise editions of GitLab (NVD).

The vulnerability allows a malicious user to execute scheduled pipelines using another maintainer's CI_JOB_TOKEN, potentially leading to unauthorized pipeline execution under the context of different users. Additionally, it enables Maintainer B to edit pipeline schedules created by Maintainer A without their knowledge or consent (GitLab Issue).

The vulnerability has been fixed in GitLab versions 14.8.6, 14.9.4, and 14.10.1. Users are advised to upgrade to these or later versions. The fix includes implementing mandatory ownership verification for pipeline schedule updates and disallowing updates to schedules owned by other users (GitLab Issue).