CVE-2022-3279: 
GitLab vulnerability analysis and mitigation

An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs (GitLab Release, CVE Mitre).

The vulnerability stems from an unhandled exception in the job log parsing functionality. When processing custom collapsible sections in CI job traces, the system fails to properly handle out-of-bounds timestamps, leading to a service disruption. The issue has been assigned a CVSS v3.1 score of 2.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L), indicating low severity (NVD NIST).

The vulnerability allows attackers with Developer-role permissions or above to prevent their job trace from being reviewed or audited by other users. This could potentially be exploited to hide malicious activities within CI/CD jobs. Additionally, in the context of supply-chain attacks, this vulnerability could be used by attackers to remain undetected for longer periods by making job traces inaccessible (GitLab Issue).

The vulnerability has been fixed in GitLab versions 15.2.5, 15.3.4, and 15.4.1. The fix involves implementing a limit on the duration value before extracting time parts, clamping it to a maximum of 1 year (GitLab Release).