CVE-2022-1783: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1. The vulnerability allows malicious group maintainers to bypass group member lock settings and add new members to a project within their group through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group (GitLab Release).

The vulnerability has been assigned a CVSS v3.1 base score of 2.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, and high privileges to exploit, with no user interaction required. The scope is unchanged, and the impact is limited to integrity with no effect on confidentiality or availability (NVD Database).

The vulnerability allows attackers with group maintainer privileges to circumvent security controls by adding new members to projects within their group through the REST API, even when the group owner has explicitly disabled this capability through group settings (GitLab Release).

The vulnerability has been patched in GitLab versions 15.0.1, 14.10.4, and 14.9.5. Organizations are strongly recommended to upgrade to one of these versions immediately to mitigate the vulnerability. GitLab.com has already been updated with the patched version (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher salh4ckr, demonstrating the effectiveness of GitLab's security response program (GitLab Release).