CVE-2022-2455: 
GitLab vulnerability analysis and mitigation

A business logic issue was identified in GitLab CE/EE (CVE-2022-2455) affecting all versions from 10.0 before 15.1.6, versions from 15.2 before 15.2.4, and versions from 15.3 before 15.3.2. The vulnerability was discovered and disclosed in August 2022, impacting the handling of large repositories in GitLab's platform (GitLab Release).

The vulnerability stems from a business logic flaw in how GitLab handles large repositories, specifically related to Gitaly.GetTreeEntries calls. The issue allows authenticated and authorized users to exhaust server resources through the importation of malicious projects. The vulnerability has been assigned a medium severity rating with a CVSS score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (GitLab Release).

When exploited, this vulnerability could lead to denial of service conditions by allowing attackers to exhaust server resources. The impact is primarily focused on system availability, as authenticated users could potentially disrupt server operations through the manipulation of repository imports (GitLab Release).

GitLab has addressed this vulnerability in versions 15.1.6, 15.2.4, and 15.3.2. Organizations are strongly recommended to upgrade to these or later versions to mitigate the risk. The fix was released as part of a critical security update that addressed multiple vulnerabilities (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher 0xn3va. GitLab acknowledged and addressed the issue promptly as part of their security release cycle (GitLab Release).