CVE-2022-2533: 
GitLab vulnerability analysis and mitigation

An authentication bypass vulnerability (CVE-2022-2533) was discovered in GitLab affecting versions from 12.10 before 15.1.6, 15.2 before 15.2.4, and 15.3 before 15.3.2. The vulnerability stems from GitLab's failure to properly authenticate Package Registry access when IP address restrictions were configured (GitLab Release).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). The issue is categorized under CWE-287 (Improper Authentication). The vulnerability specifically affects GitLab's Package Registry authentication mechanism when IP address restrictions are in place (NVD).

The vulnerability allows an attacker who already possesses a valid Deploy Token to misuse it from any location, effectively bypassing configured IP address restrictions. This could lead to unauthorized access to package registry resources from unrestricted IP addresses (GitLab Release).

The vulnerability has been patched in GitLab versions 15.3.2, 15.2.4, and 15.1.6. Users are strongly recommended to upgrade to these versions or later to mitigate the vulnerability. GitLab.com was immediately updated with the patched version (GitLab Release).