CVE-2022-2227: 
GitLab vulnerability analysis and mitigation

CVE-2022-2227 is a security vulnerability discovered in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. The vulnerability involves improper access control in the runner jobs API that allows previous project maintainers to access job and project metadata under specific conditions. This vulnerability was disclosed on July 1, 2022 (NVD, GitLab Release).

The vulnerability stems from an improper access control implementation in GitLab's runner jobs API. The issue occurs when a user who was previously a maintainer of a project with a specific runner can continue to access job and project metadata through the /runners/:id/jobs endpoint, even after their access to the project has been revoked. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) by NVD and 3.1 (LOW) by GitLab Inc., with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows unauthorized access to sensitive project information. Specifically, former project maintainers can continue to access job and project metadata through the runner jobs API even after their access has been revoked. This could lead to the exposure of confidential project information and metadata (GitLab Release).

The vulnerability has been fixed in GitLab versions 14.10.5, 15.0.4, and 15.1.1. Organizations are strongly recommended to upgrade to these or later versions to mitigate the vulnerability. The fix was released as part of GitLab's June 2022 critical security release (GitLab Release).