CVE-2022-3331: 
GitLab vulnerability analysis and mitigation

An insecure direct object reference (IDOR) vulnerability was discovered in GitLab Enterprise Edition (EE) affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, and all versions starting from 15.3 before 15.3.2. The vulnerability exists in GitLab's Zentao integration feature, which could allow attackers to access project issues from other Zentao products that they shouldn't have access to (GitLab Release, CVE Mitre).

The vulnerability stems from GitLab's backend not properly validating the product ID when making requests to the Zentao API. When a user visits the Zentao integration issues page, GitLab makes API requests without verifying if the requested issue belongs to the configured product. This allows attackers to enumerate and access issues from any product by manipulating the issue IDs in the URL, as Zentao uses an incremental naming system for issues across all products (e.g., bug-1, bug-2, etc.). The vulnerability has been assigned a CVSS score of 3.5 (Low) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N (GitLab Release).

The vulnerability allows authenticated users to access Zentao project issues from other products that they should not have access to. If the GitLab project is public, the vulnerability can be exploited by unauthenticated users to view issues from any product connected to the Zentao instance (GitLab Issue).

The vulnerability has been patched in GitLab versions 15.1.6, 15.2.4, and 15.3.2. Users are strongly recommended to upgrade to these or later versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher joaxcar. GitLab addressed the issue in their August 2022 security release (GitLab Release).