CVE-2022-2882 in Community Editioninfo

Summary

by MITRE • 10/28/2022

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

The vulnerability identified as CVE-2022-2882 represents a critical security flaw in GitLab Community Edition and Enterprise Edition platforms that affects multiple version ranges including all versions from 12.6 through 15.2.4, 15.3 through 15.3.3, and 15.4 through 15.4.0. This issue stems from inadequate input validation and authentication handling within GitLab's GitHub integration functionality, creating a pathway for privilege escalation attacks that could result in unauthorized access to sensitive credentials.

The technical implementation of this vulnerability allows a malicious user with maintainer-level privileges to exploit a design flaw in how GitLab handles GitHub integration URLs. When a maintainer modifies the integration URL configuration, the system fails to properly validate the target endpoint, enabling the attacker to redirect authenticated requests to a server they control. This flaw operates at the intersection of improper input validation and authentication bypass mechanisms, creating a vector where legitimate authentication tokens can be intercepted and exfiltrated from the targeted GitLab instance.

The operational impact of this vulnerability extends beyond simple credential theft, as it enables attackers to establish persistent access to integrated GitHub repositories and services. Once an attacker successfully exfiltrates a GitHub integration token, they can perform unauthorized operations including repository modifications, code commits, access to private repositories, and potentially escalate privileges within the integrated GitHub environment. This vulnerability directly aligns with CWE-20: Improper Input Validation and represents a significant concern for organizations that rely on GitLab for code management and CI/CD pipeline orchestration.

The exploitation of this vulnerability follows patterns consistent with attack techniques documented in the MITRE ATT&CK framework under the T1566: Phishing and T1078: Valid Accounts categories. Attackers can leverage this flaw to perform credential harvesting attacks where they manipulate integration settings to redirect traffic to malicious endpoints. The vulnerability's presence in multiple version streams indicates a systemic issue in GitLab's authentication handling mechanisms that required patching across several release branches to address the underlying security gap.

Organizations should implement immediate mitigation strategies including updating to the patched versions 15.2.5, 15.3.4, and 15.4.1 respectively, while also monitoring for unauthorized changes to GitHub integration configurations. Additional protective measures include implementing network-level restrictions on outbound connections from GitLab servers, conducting thorough audits of integration settings, and establishing monitoring for unusual authentication patterns that might indicate token exfiltration attempts. Security teams should also consider implementing principle of least privilege for maintainer roles and regularly review integration configurations to prevent unauthorized modifications that could enable this attack vector.

Responsible

GitLab Inc.

Reservation

08/17/2022

Disclosure

10/28/2022

Moderation

accepted

CPE

ready

EPSS

0.00670

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!