CVE-2022-3902: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, and all versions starting from 15.6 before 15.6.1. The vulnerability allowed project maintainers to unmask webhook secret tokens by reviewing the logs after testing webhooks (GitLab Release, CVE Mitre).

The vulnerability is classified as a medium severity issue with a CVSS score of 5.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N). The issue stems from webhook logs exposing secret tokens in plain text when project maintainers review logs after testing webhooks. Despite UI improvements to hide secrets in input fields, the webhook logs at the same page still contained the secret in plain text, particularly in the X-Gitlab-Token HTTP header (GitLab Release).

The exposure of webhook secret tokens could allow unauthorized project maintainers to gain access to these secrets, potentially enabling them to spoof requests to the receiving server. This creates a security risk where maintainers who shouldn't have access to the receiving service could potentially manipulate or abuse the webhook functionality (GitLab Issue).

The vulnerability has been patched in GitLab versions 15.4.6, 15.5.5, and 15.6.1. Organizations running affected versions should upgrade to these patched versions or later to mitigate the risk. GitLab.com was promptly updated to run the patched version (GitLab Release).