CVE-2022-4462: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, and all versions starting from 15.9 before 15.9.2. The vulnerability allows users to unmask Discord Webhook URLs through viewing raw API responses (GitLab Release, CVE Mitre).

The vulnerability is classified as a medium severity issue with a CVSS score of 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). The issue specifically relates to the exposure of sensitive integration settings at the group level, where project maintainers could access Discord Webhook URLs through the API despite these being hidden in the UI (GitLab Release).

When exploited, this vulnerability could allow project maintainers to gain unauthorized access to Discord Webhook URLs configured at the group level. These webhook URLs are sensitive as they allow direct access to Discord channels and the ability to send messages without additional authentication (GitLab Issue).

The vulnerability has been patched in GitLab versions 15.7.8, 15.8.4, and 15.9.2. Organizations running affected versions should upgrade to one of these patched versions immediately (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher vaib25vicky (GitLab Release).