CVE-2022-0735

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 12.10 through 14.6.4 GitLab CE/EE versions 14.7 through 14.7.3 GitLab CE/EE versions 14.8 through 14.8.1

Description An issue has been discovered in GitLab CE/EE, allowing an unauthorized user to steal runner registration tokens through an information disclosure vulnerability using quick actions commands. The vulnerability is related to deficiencies in the authorization mechanism, which can be exploited by a remote attacker to gain unauthorized access to protected information using specially crafted commands. The issue is caused by an information leak when using Quick Actions commands.

Recommendations For GitLab CE/EE versions 12.10 through 14.6.4, update to version 14.6.5 or later. For GitLab CE/EE versions 14.7 through 14.7.3, update to version 14.7.4 or later. For GitLab CE/EE versions 14.8 through 14.8.1, update to version 14.8.2 or later. As a temporary workaround, consider restricting access to Quick Actions commands until a patch is available.