CVE-2022-3325: 
GitLab vulnerability analysis and mitigation

Improper access control vulnerability was discovered in GitLab CE/EE API affecting all versions from 12.8 before 15.2.5, all versions from 15.3 before 15.3.4, and all versions from 15.4 before 15.4.1. The vulnerability allowed unauthorized users to edit approval rules via the API (GitLab Advisory).

The vulnerability was assigned CVE-2022-3325 with a CVSS v3.1 base score of 4.3 (MEDIUM) according to NVD assessment (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). GitLab's own assessment rated it lower at 2.7 (LOW) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N. The vulnerability specifically affected the instance-level setting 'Prevent editing approval rules in projects and merge requests' which failed to properly enforce API-level restrictions (NVD).

The vulnerability allowed maintainers to bypass approval rule restrictions by editing them through the API, even when the instance-level setting was configured to prevent such modifications. This could potentially compromise the integrity of the project's approval workflow (GitLab Issue).

The vulnerability was addressed in GitLab versions 15.2.5, 15.3.4, and 15.4.1. Users are advised to upgrade to these or later versions to receive the security fix (NVD).