CVE-2022-2281
Description
An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE 12.5 through 15.1.0 leaks release titles from private projects when a public group milestone is associated with a release.
Vulnerability
GitLab EE versions 12.5 through 14.10.5, 15.0 through 15.0.4, and 15.1 through 15.1.0 allow information disclosure via the group milestones page. When a public group milestone is associated with a private project's release, the release title becomes visible to any authenticated user on the group milestones page, even though the user has no access to the private project. The bug originates from the feature implemented in issue #235391 and is tracked as GitLab issue #271172 [1].
Exploitation
An attacker merely needs a GitLab EE account (no special privileges) and must navigate to the public group's milestone page (/groups//-/milestones). No user interaction beyond browsing the page is required. The attacker can observe release titles that should be confined to private projects, provided those releases are linked to a public group milestone [1].
Impact
Successful exploitation results in the disclosure of release titles from private projects. This is a confidentiality breach, as the release title may reveal project names, version numbers, or other sensitive information intended to remain within the private project. The attacker gains no write or execute capabilities [1].
Mitigation
GitLab released fixes in versions 14.10.5, 15.0.4, and 15.1.1 [1]. Users should upgrade to these or later versions. No workaround is documented; disabling the association between public group milestones and private project releases is an implicit measure but may not be practical. The vulnerability is not listed on CISA's KEV at the time of writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.5 <14.10.5, >=15.0 <15.0.4, >=15.1 <15.1.1
- Range: >=12.5, <14.10.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control check on release titles when displayed on public group milestone pages."
Attack vector
An attacker can view release titles of private projects by visiting a public group's milestone page when that group milestone has been associated with a private project release. The attacker only needs a valid user account on the GitLab instance; no special privileges or membership in the private project are required [ref_id=1]. The association is made via the Releases API by setting the `milestones` field to a public group milestone name [ref_id=1].
Affected code
The advisory does not specify exact function or file paths. The issue was introduced by a prior change (referenced as `gitlab-org/gitlab/-/issues/235391`) that allowed group milestones to be associated with project releases without adding access checks on the release title when displayed on the public group milestone page [ref_id=1].
What the fix does
The advisory does not include a patch diff. The expected remediation is to enforce access control checks so that release titles are only displayed on the group milestone page when the requesting user has permission to view the associated project release [ref_id=1]. No published fix is included in the bundle.
Preconditions
- authAttacker must have a valid user account on the GitLab instance
- configA public group milestone must exist and be associated with a private project release
- inputAttacker accesses the public group milestone page
Reproduction
1. Create a public group with a gold tier subscription and create a milestone in that group. 2. Create a private project and a release within it. 3. Use the Releases API to associate the group milestone with the private project release: `curl --header 'Content-Type: application/json' --request PUT --data '{"name": "RELEASE FROM PROJECT", "milestones": ["GroupMilestone1"]}' --header "PRIVATE-TOKEN:
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2281.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/271172mitrex_refsource_MISC
- hackerone.com/reports/1012659mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.