CVE-2022-3060: 
GitLab vulnerability analysis and mitigation

Improper control of a resource identifier in Error Tracking functionality in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests. The vulnerability was discovered by @joaxcar through GitLab's HackerOne bug bounty program and was assigned CVE-2022-3060 (GitLab Security Release).

The vulnerability stems from insufficient validation of error IDs in the Error Tracking feature. When error tracking is enabled in a project, error IDs from the Sentry server response are used without proper sanitization in URL construction. This allows an attacker to inject path traversal sequences (e.g., '../../../../api/v4/') that can generate arbitrary PUT requests when action buttons are clicked. The vulnerability has a CVSS v3.1 score of 7.3 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N (GitLab Security Release).

The vulnerability allows an authenticated attacker to craft requests that, when triggered by a victim user, can perform unauthorized PUT operations on the GitLab instance. This could lead to various severe impacts including privilege escalation to administrator status, unauthorized membership changes in groups, and modification of project/group visibility settings (HackerOne Report).

The vulnerability has been patched in GitLab versions 15.4.1, 15.3.4, and 15.2.5. Organizations running affected versions should upgrade immediately to one of these patched versions. GitLab.com has already been updated with the security fix (GitLab Security Release).