CVE-2022-3286
Description
Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE fails to enforce IP restrictions for deploy tokens accessing the Dependency Proxy, allowing bypass of group IP allow-lists.
Vulnerability
In GitLab EE, IP address restrictions configured on a group are not enforced when a deploy token is used to access the Dependency Proxy. This affects all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 [1]. The issue arises because the Dependency Proxy authentication service does not check the group policy for the read_dependency_proxy permission against the IP allow-list.
Exploitation
An attacker with a valid group deploy token can bypass IP restrictions by pulling container images through the Dependency Proxy from any IP address. The steps involve: creating a group with an IP restriction (e.g., allowing only 200.200.200.200), creating a group deploy token, and then pulling an image (e.g., alpine:latest) via the Dependency Proxy from a machine with a different IP. The pull succeeds, demonstrating the bypass [1].
Impact
Successful exploitation allows an attacker with a deploy token to access the Dependency Proxy from any IP, circumventing the group's IP allow-list. This can lead to unauthorized access to container images if the deploy token is compromised or misused, potentially exposing sensitive data or proprietary code.
Mitigation
GitLab has released fixed versions: 15.2.5, 15.3.4, and 15.4.1 [1]. Users should upgrade to these versions or later. No workaround is documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >= 14.2, < 15.2.5 || >= 15.3, < 15.3.4 || >= 15.4, < 15.4.1
- Range: >=14.2, <15.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing IP address restriction check in the group policy when authenticating deploy tokens for Dependency Proxy access."
Attack vector
An attacker who possesses a valid group deploy token can pull images through the Dependency Proxy even when the group has configured IP address restrictions [ref_id=1]. The group policy does not enforce the IP allow-list check for the `read_dependency_proxy` permission when the request is authenticated via a deploy token [ref_id=1]. This allows a group member or anyone with the deploy token to bypass the IP restriction from any network location.
Affected code
The advisory points to `ee/app/policies/ee/group_policy.rb` as the file where IP restriction checks are implemented, and notes that the `read_dependency_proxy` permission is missing the IP restriction condition that exists for other permissions [ref_id=1]. The Dependency Proxy authentication service also needs updating to properly check group-level permissions for deploy tokens [ref_id=1].
What the fix does
The advisory recommends applying a fix analogous to a prior Container Registry IP restriction fix [ref_id=1]. The solution involves updating the Dependency Proxy authentication service to check `read_dependency_proxy` permission against the target group, and modifying the EE group policy to reject `read_dependency_proxy` when the request originates from an IP not on the group's allow-list [ref_id=1]. No patch diff is included in the bundle, so the exact code changes are not visible.
Preconditions
- configThe target group must have IP address restrictions enabled (group access restricted by IP).
- authThe attacker must possess a valid group deploy token with access to the Dependency Proxy.
- networkThe attacker must be able to reach the GitLab Dependency Proxy endpoint from an IP address not on the group's allow-list.
Reproduction
1. Create a group and enforce an IP restriction (e.g., `200.200.200.200`) that your machine does not match. 2. Create a group deploy token. 3. Set up the Dependency Proxy for the group. 4. Pull an image (e.g., `alpine:latest`) through the Dependency Proxy using the deploy token. 5. Observe that the pull succeeds despite the IP restriction [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.