CVE-2022-3486: 
GitLab vulnerability analysis and mitigation

An open redirect vulnerability was discovered in GitLab Enterprise Edition (EE) and Community Edition (CE) affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. The vulnerability was disclosed on November 2, 2022, and was assigned CVE-2022-3486 (GitLab Security Release, NVD).

The vulnerability allows an attacker to redirect users to an arbitrary location if they trust the URL. The issue has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the following vector: AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site ('Open Redirect') (NVD).

When exploited, this vulnerability could allow attackers to redirect users to malicious websites, potentially leading to phishing attacks or other social engineering attempts. The impact is particularly significant because it affects both Enterprise and Community editions of GitLab (GitLab Security Release).

The vulnerability has been fixed in GitLab versions 15.3.5, 15.4.4, and 15.5.2. Users are strongly recommended to upgrade to these or later versions immediately. GitLab.com has already been updated with the patched version (GitLab Security Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher ryotak. GitLab addressed this vulnerability as part of their regular security release cycle (GitLab Security Release).