CVE-2022-2428: 
GitLab vulnerability analysis and mitigation

A vulnerability was discovered in GitLab's Jupyter Notebook viewer affecting GitLab Enterprise Edition (EE) and Community Edition (CE) versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2. The vulnerability allows attackers to issue arbitrary HTTP requests through crafted tags in .ipynb notebook files (GitLab Release, NVD).

The vulnerability stems from insufficient sanitization of form tags in the Jupyter Notebook viewer. Attackers could introduce malicious form elements that enable sending arbitrary POST requests to the server. Additionally, PUT, DELETE, and PATH requests could be achieved by manipulating the _method field. The vulnerability was assigned a CVSS v3.1 score of 6.4 (Medium severity) with attack vector parameters AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N (GitLab Release).

The vulnerability could allow attackers to trick users into performing unintended actions, including elevating attacker privileges to admin level, adding attackers to private groups, or adding unauthorized SSH keys. The attack could be triggered when users click anywhere on a compromised notebook page (HackerOne Issue).

GitLab has addressed this vulnerability in versions 15.1.6, 15.2.4, and 15.3.2. Users are strongly recommended to upgrade to these or later versions immediately. The fix involves proper sanitization of form tags in the Jupyter Notebook viewer (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher yvvdwf. GitLab addressed the issue promptly and included it in their August 2022 security release (GitLab Release).