CVE-2022-0735: GitLab Information Disclosure Vulnerability

CVE-2022-0735 Overview

An information disclosure vulnerability has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, and all versions starting from 14.8 before 14.8.2. This vulnerability allows an unauthorized user to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.

Critical Impact
Attackers can steal GitLab Runner registration tokens without authentication, potentially allowing them to register malicious runners that could execute arbitrary code within CI/CD pipelines, access sensitive repository data, and compromise the entire software delivery chain.

Affected Products

GitLab Community Edition (CE) versions 12.10 to 14.6.4
GitLab Enterprise Edition (EE) versions 12.10 to 14.6.4
GitLab CE/EE versions 14.7.0 to 14.7.3
GitLab CE/EE versions 14.8.0 to 14.8.1

Discovery Timeline

2022-03-28 - CVE-2022-0735 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-0735

Vulnerability Analysis

This vulnerability represents a significant information disclosure flaw in GitLab's quick actions feature. Quick actions are text-based shortcuts that allow users to perform common actions within GitLab issues, merge requests, and other components. The vulnerability enables unauthorized users to extract sensitive runner registration tokens through these quick action commands.

GitLab Runners are agents that execute CI/CD jobs defined in .gitlab-ci.yml files. Each runner requires a registration token to authenticate with the GitLab instance. When an attacker obtains this token, they can register their own malicious runners to the target GitLab instance without proper authorization.

The root cause stems from insufficient access control validation when processing quick action commands. The system fails to properly verify whether the requesting user has the necessary permissions to access runner registration tokens before exposing them through the quick actions interface.

Root Cause

The vulnerability exists due to improper authorization checks in the quick actions processing logic. When certain quick actions commands are executed, the system inadvertently exposes runner registration tokens to users who should not have access to this sensitive information. This represents a failure in the principle of least privilege, where sensitive credentials are accessible beyond their intended scope.

Attack Vector

The attack vector is network-based and requires no authentication, making it particularly dangerous for publicly accessible GitLab instances. An attacker can exploit this vulnerability remotely by:

Interacting with the GitLab instance through normal user interfaces
Crafting specific quick action commands that trigger the information disclosure
Extracting runner registration tokens from the response
Using the stolen tokens to register malicious runners

The vulnerability allows attackers to leverage the stolen registration tokens to register rogue runners. These malicious runners can then intercept CI/CD jobs, inject malicious code into build processes, exfiltrate secrets stored in CI/CD variables, and potentially compromise downstream systems and deployments.

For detailed technical information about this vulnerability, refer to the GitLab CVE-2022-0735 Data and the GitLab Issue Discussion #353529.

Detection Methods for CVE-2022-0735

Indicators of Compromise

Unexpected or unauthorized runner registrations appearing in GitLab admin interface
Anomalous API requests targeting runner registration endpoints
Unusual quick action command patterns in issue or merge request activity logs
New runners appearing from unknown IP addresses or geographic locations

Detection Strategies

Monitor GitLab audit logs for runner registration events and correlate with authorized change requests
Implement alerting for any new runner registrations, requiring manual approval for production instances
Review web server access logs for unusual patterns of requests to quick action endpoints
Deploy network intrusion detection signatures for known exploitation patterns

Monitoring Recommendations

Enable comprehensive audit logging in GitLab and forward logs to a SIEM solution
Configure alerts for any runner registration activities outside of approved maintenance windows
Regularly audit the list of registered runners against an approved inventory
Monitor for CI/CD job failures or unexpected behavior that may indicate malicious runner activity

How to Mitigate CVE-2022-0735

Immediate Actions Required

Upgrade GitLab CE/EE to version 14.6.5, 14.7.4, or 14.8.2 or later immediately
Rotate all existing runner registration tokens after patching
Audit current registered runners and remove any unauthorized entries
Review CI/CD job history for any suspicious activity during the exposure window

Patch Information

GitLab has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:

GitLab 14.6.5 for users on the 14.6.x branch
GitLab 14.7.4 for users on the 14.7.x branch
GitLab 14.8.2 for users on the 14.8.x branch

After applying the patch, it is critical to reset all runner registration tokens as existing tokens may have been compromised. Detailed patch information is available in the GitLab CVE-2022-0735 Data.

Workarounds

Restrict network access to GitLab instances using firewall rules until patches can be applied
Disable runner registration temporarily if CI/CD functionality is not immediately required
Implement additional authentication layers such as VPN access for GitLab administration
Enable IP allowlisting for runner registration endpoints if supported by your network infrastructure

bash

# Configuration example - Reset runner registration tokens after patching
# For project runners, navigate to Settings > CI/CD > Runners and reset token
# For group runners, navigate to Group Settings > CI/CD > Runners and reset token

# Verify GitLab version after upgrade
gitlab-rake gitlab:env:info | grep "GitLab"

# List all registered runners for audit
gitlab-rails runner "Ci::Runner.all.each { |r| puts \"#{r.id}: #{r.description} - #{r.ip_address}\" }"

# Review runner activity in logs
grep -i "runner" /var/log/gitlab/gitlab-rails/production.log

CVE-2022-0735 Overview

Critical Impact
Attackers can steal GitLab Runner registration tokens without authentication, potentially allowing them to register malicious runners that could execute arbitrary code within CI/CD pipelines, access sensitive repository data, and compromise the entire software delivery chain.

Affected Products

GitLab Community Edition (CE) versions 12.10 to 14.6.4
GitLab Enterprise Edition (EE) versions 12.10 to 14.6.4
GitLab CE/EE versions 14.7.0 to 14.7.3
GitLab CE/EE versions 14.8.0 to 14.8.1

Discovery Timeline

2022-03-28 - CVE-2022-0735 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-0735

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector is network-based and requires no authentication, making it particularly dangerous for publicly accessible GitLab instances. An attacker can exploit this vulnerability remotely by:

Interacting with the GitLab instance through normal user interfaces
Crafting specific quick action commands that trigger the information disclosure
Extracting runner registration tokens from the response
Using the stolen tokens to register malicious runners

For detailed technical information about this vulnerability, refer to the GitLab CVE-2022-0735 Data and the GitLab Issue Discussion #353529.

Detection Methods for CVE-2022-0735

Indicators of Compromise

Unexpected or unauthorized runner registrations appearing in GitLab admin interface
Anomalous API requests targeting runner registration endpoints
Unusual quick action command patterns in issue or merge request activity logs
New runners appearing from unknown IP addresses or geographic locations

Detection Strategies

Monitor GitLab audit logs for runner registration events and correlate with authorized change requests
Implement alerting for any new runner registrations, requiring manual approval for production instances
Review web server access logs for unusual patterns of requests to quick action endpoints
Deploy network intrusion detection signatures for known exploitation patterns

Monitoring Recommendations

Enable comprehensive audit logging in GitLab and forward logs to a SIEM solution
Configure alerts for any runner registration activities outside of approved maintenance windows
Regularly audit the list of registered runners against an approved inventory
Monitor for CI/CD job failures or unexpected behavior that may indicate malicious runner activity

How to Mitigate CVE-2022-0735

Immediate Actions Required

Upgrade GitLab CE/EE to version 14.6.5, 14.7.4, or 14.8.2 or later immediately
Rotate all existing runner registration tokens after patching
Audit current registered runners and remove any unauthorized entries
Review CI/CD job history for any suspicious activity during the exposure window

Patch Information

GitLab has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:

GitLab 14.6.5 for users on the 14.6.x branch
GitLab 14.7.4 for users on the 14.7.x branch
GitLab 14.8.2 for users on the 14.8.x branch

Workarounds

Restrict network access to GitLab instances using firewall rules until patches can be applied
Disable runner registration temporarily if CI/CD functionality is not immediately required
Implement additional authentication layers such as VPN access for GitLab administration
Enable IP allowlisting for runner registration endpoints if supported by your network infrastructure

bash

# Configuration example - Reset runner registration tokens after patching
# For project runners, navigate to Settings > CI/CD > Runners and reset token
# For group runners, navigate to Group Settings > CI/CD > Runners and reset token

# Verify GitLab version after upgrade
gitlab-rake gitlab:env:info | grep "GitLab"

# List all registered runners for audit
gitlab-rails runner "Ci::Runner.all.each { |r| puts \"#{r.id}: #{r.description} - #{r.ip_address}\" }"

# Review runner activity in logs
grep -i "runner" /var/log/gitlab/gitlab-rails/production.log

CVE-2022-0735: GitLab Information Disclosure Vulnerability

CVE-2022-0735 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-0735

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-0735

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-0735

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-0735: GitLab Information Disclosure Vulnerability

CVE-2022-0735 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-0735

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-0735

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-0735

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform