CVE-2022-2417: 
GitLab vulnerability analysis and mitigation

CVE-2022-2417 affects GitLab CE/EE versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. The vulnerability was discovered internally by the GitLab team and publicly disclosed on July 28, 2022 (GitLab Release).

The vulnerability stems from insufficient validation in GitLab's import functionality when using the git protocol. The issue allows an authenticated and authorized user to import a project that includes branch names which are 40 hexadecimal characters in length. The CVSS v3.1 base score is 6.2 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N (NVD).

This vulnerability could be exploited in supply chain attacks where a victim has pinned to a specific Git commit of the project. The impact is particularly concerning as it bypasses GitLab's normal security checks that prevent the creation of potentially dangerous branch names (GitLab Release).

GitLab has addressed this vulnerability in versions 15.0.5, 15.1.4, and 15.2.1. Organizations should upgrade to these or later versions immediately. The fix involves implementing the same security checks for git protocol imports that are applied to normal push operations, including git fsck and prohibited branch checks (GitLab Release).