CVE-2022-2630
Description
An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE 15.2 through 15.3.1 exposes confidential issue titles via Incident timeline GFM references due to missing redaction.
Vulnerability
An improper access control issue in GitLab CE/EE affects all versions starting from 15.2 before 15.2.4, and all versions from 15.3 before 15.3.2. The Incident timeline events feature uses the TimelineEventPipeline with reference filters that expand GitLab Flavored Markdown (GFM) references. When a timeline event description references private or confidential resources (e.g., issues or epics), the titles of those resources are rendered without redaction, leaking confidential information even to users without proper permissions [1].
Exploitation
An attacker needs to be a registered user of a GitLab instance and have write access to create an incident in a project (where they can add timeline events). The attacker creates a new incident, opens the Timeline tab, and creates a new timeline event. In the event description, they type the GFM reference of a private or confidential resource (e.g., victim/project-a#1 for a confidential issue). The system renders the resource's title in the timeline event description, exposing it to any user who can view the incident. No special privilege or additional user interaction is required [1].
Impact
On successful exploitation, the attacker gains unauthorized access to the title (and potentially other summary information) of a private or confidential GitLab resource (such as an issue, epic, or merge request). This disclosure can lead to information leakage of sensitive project details, violating the confidentiality of the resource. The privilege level is that of a user who can create incidents; they do not need direct access to the confidential resource itself [1].
Mitigation
GitLab released fixed versions 15.2.4 and 15.3.2 on 2022-10-17 ([1]). Users running GitLab CE/EE 15.2.0 through 15.2.3 or 15.3.0 through 15.3.1 should upgrade immediately to the patched versions. No workaround is available; upgrading is the only complete mitigation. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=15.2, <15.2.4 and >=15.3, <15.3.2
- Range: >=15.2, <15.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing redaction of private/confidential GFM references in the Incident Timeline Event pipeline allows unauthorized disclosure of resource titles."
Attack vector
An attacker creates or uses an existing project, navigates to Monitor/Incidents, and creates an incident. On the Timeline tab, the attacker creates a new timeline event and enters a GFM reference to a private or confidential resource (e.g., `victim/project-a#1`) in the "Timeline text" field. Because the `TimelineEventPipeline` renders all GFM references without redacting private/confidential resources, the title of the referenced resource is displayed in the timeline event description, leaking information the attacker should not be able to see [ref_id=1].
Affected code
The vulnerability is in the `TimelineEventPipeline` pipeline (defined in `lib/banzai/pipeline/incident_management/timeline_event_pipeline.rb`). This pipeline includes `Banzai::Pipeline::GfmPipeline.reference_filters`, which expand GFM references (issues, merge requests, etc.) but does not apply the standard redaction logic that normally hides private or confidential resources from unauthorized users [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the issue [ref_id=1] indicates that the `TimelineEventPipeline` must be modified to apply the standard redaction logic that GitLab uses elsewhere when rendering GFM references. The fix should ensure that when a timeline event description contains a reference to a private or confidential resource, the reference is redacted for users who lack permission to view that resource, matching the behavior of other GFM-rendering pipelines in GitLab.
Preconditions
- authThe attacker must have access to a GitLab project where they can create incidents and timeline events.
- inputThe victim must have a private or confidential resource (e.g., issue, merge request) with a known GFM reference.
- inputThe attacker must know or be able to guess the GFM reference of the target resource (e.g., `namespace/project#issue_number`).
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.