CVE-2022-4289: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, which could lead to the leakage of account details from instance, group, or project settings to other users (GitLab Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue specifically relates to the Prometheus integration where Google IAP (Identity-Aware Proxy) credentials, including private tokens and other sensitive values, were left unmasked and accessible to unauthorized users (NVD).

When configured at the instance level by an administrator, the Google IAP credentials from the admin configuration become fully accessible by any other user in any project. The vulnerability allows unauthorized users to view and potentially exploit sensitive authentication information, including service account credentials (GitLab Advisory).

The vulnerability has been fixed in GitLab versions 15.7.8, 15.8.4, and 15.9.2. Organizations are strongly recommended to upgrade to one of these patched versions immediately. The fix ensures that sensitive integration information is properly masked, similar to how other credential fields are handled (GitLab Advisory).