CVE-2022-2459: 
GitLab vulnerability analysis and mitigation

CVE-2022-2459 is a security vulnerability discovered in GitLab affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, and all versions starting from 15.2 before 15.2.1. The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher justas_b and was disclosed on July 28, 2022 (GitLab Release).

The vulnerability allows email-invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled. This is classified as a low severity issue with a CVSS score of 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N) (GitLab Release).

The impact of this vulnerability is that it bypasses the member lock security control, allowing unauthorized access to projects even after restrictions have been put in place. This could potentially lead to unauthorized project access when administrators believe access has been restricted (GitLab Release).

The vulnerability has been fixed in GitLab versions 15.0.5, 15.1.4, and 15.2.1. Organizations are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).