CVE-2022-3870: 
GitLab vulnerability analysis and mitigation

GitLab CE/EE versions starting from 10.0 before 15.5.7, 15.6 before 15.6.4, and 15.7 before 15.7.2 were affected by a vulnerability that allowed unauthenticated users to download user avatars using victim's user ID on private instances that restrict public level visibility. The vulnerability was discovered through GitLab's HackerOne bug bounty program by researcher nocasis and was assigned CVE-2022-3870 (GitLab Security).

The vulnerability is an Insecure Direct Object Reference (IDOR) issue that allows unauthorized access to user avatars through a direct URL path. The vulnerable endpoint was '/uploads/-/system/user/avatar/{user_id}/avatar.png', which could be accessed without authentication. The severity was rated as medium with a CVSS score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) (GitLab Security).

The vulnerability allowed attackers to enumerate through user IDs and retrieve avatar images without authorization, even in private GitLab instances. This could lead to privacy violations, enabling attackers to gather information about employees through their leaked avatars and potentially determine the number of engineers in an organization (GitLab Issue).

The vulnerability was patched in GitLab versions 15.7.2, 15.6.4, and 15.5.7. Organizations running affected versions were strongly recommended to upgrade to these patched versions immediately. GitLab.com was already running the patched version at the time of disclosure (GitLab Security).