CVE-2021-22244

Vulnerability

An improper authorization vulnerability exists in the vulnerability report feature of GitLab EE, affecting all versions from 13.1. The issue arises because the backend did not enforce access controls for the vulnerability report, security dashboard, and related API endpoints; a user with the Reporter role could access vulnerability data that should require higher permissions (Developer or above). The affected endpoints include the Security Dashboard (project, group, and instance-level), Vulnerability Report (group and project-level), and GraphQL/REST API endpoints providing vulnerability counts or exports [1].

Exploitation

An authenticated attacker with the Reporter role can exploit this by directly requesting vulnerable endpoints such as /-/security/vulnerability_report or the GraphQL endpoint for vulnerability counts. The attacker does not need any additional privileges beyond a valid account with Reporter access to a project or group. The fix required both a frontend change (hiding the button) and a backend deny of originating the authorization check [1].

Impact

Successful exploitation allows a Reporter to view vulnerability data and security dashboard information, including vulnerability counts and details, that are intended for higher-level roles (Developer, Maintainer, Owner). This constitutes unauthorized information disclosure, potentially exposing the security posture of projects and groups to users with lower privileges [1].

Mitigation

GitLab addressed this issue in GitLab EE 14.3. The fix is implemented in the backend by denying requests from unauthorized roles at the server side. Administrators should upgrade GitLab EE to version 14.3 or later. There are no known workarounds for unpatched instances [1].