CVE-2022-0735 Overview
An information disclosure vulnerability has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, and all versions starting from 14.8 before 14.8.2. This vulnerability allows an unauthorized user to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
Critical Impact
Attackers can steal GitLab Runner registration tokens without authentication, potentially allowing them to register malicious runners that could execute arbitrary code within CI/CD pipelines, access sensitive repository data, and compromise the entire software delivery chain.
Affected Products
- GitLab Community Edition (CE) versions 12.10 to 14.6.4
- GitLab Enterprise Edition (EE) versions 12.10 to 14.6.4
- GitLab CE/EE versions 14.7.0 to 14.7.3
- GitLab CE/EE versions 14.8.0 to 14.8.1
Discovery Timeline
- 2022-03-28 - CVE-2022-0735 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0735
Vulnerability Analysis
This vulnerability represents a significant information disclosure flaw in GitLab's quick actions feature. Quick actions are text-based shortcuts that allow users to perform common actions within GitLab issues, merge requests, and other components. The vulnerability enables unauthorized users to extract sensitive runner registration tokens through these quick action commands.
GitLab Runners are agents that execute CI/CD jobs defined in .gitlab-ci.yml files. Each runner requires a registration token to authenticate with the GitLab instance. When an attacker obtains this token, they can register their own malicious runners to the target GitLab instance without proper authorization.
The root cause stems from insufficient access control validation when processing quick action commands. The system fails to properly verify whether the requesting user has the necessary permissions to access runner registration tokens before exposing them through the quick actions interface.
Root Cause
The vulnerability exists due to improper authorization checks in the quick actions processing logic. When certain quick actions commands are executed, the system inadvertently exposes runner registration tokens to users who should not have access to this sensitive information. This represents a failure in the principle of least privilege, where sensitive credentials are accessible beyond their intended scope.
Attack Vector
The attack vector is network-based and requires no authentication, making it particularly dangerous for publicly accessible GitLab instances. An attacker can exploit this vulnerability remotely by:
- Interacting with the GitLab instance through normal user interfaces
- Crafting specific quick action commands that trigger the information disclosure
- Extracting runner registration tokens from the response
- Using the stolen tokens to register malicious runners
The vulnerability allows attackers to leverage the stolen registration tokens to register rogue runners. These malicious runners can then intercept CI/CD jobs, inject malicious code into build processes, exfiltrate secrets stored in CI/CD variables, and potentially compromise downstream systems and deployments.
For detailed technical information about this vulnerability, refer to the GitLab CVE-2022-0735 Data and the GitLab Issue Discussion #353529.
Detection Methods for CVE-2022-0735
Indicators of Compromise
- Unexpected or unauthorized runner registrations appearing in GitLab admin interface
- Anomalous API requests targeting runner registration endpoints
- Unusual quick action command patterns in issue or merge request activity logs
- New runners appearing from unknown IP addresses or geographic locations
Detection Strategies
- Monitor GitLab audit logs for runner registration events and correlate with authorized change requests
- Implement alerting for any new runner registrations, requiring manual approval for production instances
- Review web server access logs for unusual patterns of requests to quick action endpoints
- Deploy network intrusion detection signatures for known exploitation patterns
Monitoring Recommendations
- Enable comprehensive audit logging in GitLab and forward logs to a SIEM solution
- Configure alerts for any runner registration activities outside of approved maintenance windows
- Regularly audit the list of registered runners against an approved inventory
- Monitor for CI/CD job failures or unexpected behavior that may indicate malicious runner activity
How to Mitigate CVE-2022-0735
Immediate Actions Required
- Upgrade GitLab CE/EE to version 14.6.5, 14.7.4, or 14.8.2 or later immediately
- Rotate all existing runner registration tokens after patching
- Audit current registered runners and remove any unauthorized entries
- Review CI/CD job history for any suspicious activity during the exposure window
Patch Information
GitLab has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- GitLab 14.6.5 for users on the 14.6.x branch
- GitLab 14.7.4 for users on the 14.7.x branch
- GitLab 14.8.2 for users on the 14.8.x branch
After applying the patch, it is critical to reset all runner registration tokens as existing tokens may have been compromised. Detailed patch information is available in the GitLab CVE-2022-0735 Data.
Workarounds
- Restrict network access to GitLab instances using firewall rules until patches can be applied
- Disable runner registration temporarily if CI/CD functionality is not immediately required
- Implement additional authentication layers such as VPN access for GitLab administration
- Enable IP allowlisting for runner registration endpoints if supported by your network infrastructure
# Configuration example - Reset runner registration tokens after patching
# For project runners, navigate to Settings > CI/CD > Runners and reset token
# For group runners, navigate to Group Settings > CI/CD > Runners and reset token
# Verify GitLab version after upgrade
gitlab-rake gitlab:env:info | grep "GitLab"
# List all registered runners for audit
gitlab-rails runner "Ci::Runner.all.each { |r| puts \"#{r.id}: #{r.description} - #{r.ip_address}\" }"
# Review runner activity in logs
grep -i "runner" /var/log/gitlab/gitlab-rails/production.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
