CVE-2022-3331
Description
An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE Zentao integration has an IDOR vulnerability allowing attackers to leak Zentao project issues from all products connected to the maintainer's account.
Vulnerability
GitLab EE versions 14.5 to 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 include a Zentao integration feature that allows maintainers to configure a product ID to display issues from that product. When viewing the details of a specific issue, the backend makes a request to https://example.zentao.net/api.php/v1/issues/{issue-key} without verifying that the issue belongs to the configured product. This lack of authorization check results in an insecure direct object reference (IDOR) vulnerability [1].
Exploitation
An attacker with access to any project that has Zentao integration enabled can enumerate issue keys (such as task, bug, or story IDs) by guessing or brute-forcing them. The GitLab backend will fetch and return the issue details from the Zentao instance, regardless of which product the issue belongs to. No special privileges beyond being able to view the integration page are required [1].
Impact
Successful exploitation allows an attacker to leak the full details of all issues from any product connected to the maintainer's Zentao account, not limited to the product originally configured. This results in unauthorized disclosure of sensitive project information [1].
Mitigation
GitLab has released fixed versions: 15.1.6, 15.2.4, and 15.3.2. Users should upgrade to these or later versions. No workaround is available for unpatched versions [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=14.5 <15.1.6, >=15.2 <15.2.4, >=15.3 <15.3.2
- Range: >=14.5, <15.1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing product-ID authorization check when fetching individual Zentao issue details allows access to issues outside the configured product."
Attack vector
An attacker with access to a GitLab project that has Zentao integration enabled can enumerate issue keys (e.g., bug-1, task-1, story-1) by simply changing the numeric suffix in the URL path `/-/integrations/zentao/issues/<ISSUE-KEY>` [ref_id=1]. The backend fetches issue details from the Zentao API using only the issue key, without verifying that the issue belongs to the configured product ID [ref_id=1]. Because Zentao assigns sequential IDs across all products, an attacker can trivially iterate through IDs to leak issues from any product the maintainer controls in their Zentao instance [ref_id=1]. If the GitLab project is public, the attack can be performed unauthenticated [ref_id=1].
Affected code
The vulnerability exists in the Zentao integration controller that handles requests to `/-/integrations/zentao/issues/<ISSUE-KEY>` [ref_id=1]. The backend makes an API call to `https://<instance>/api.php/v1/issues/<issue-key>` without first verifying that the issue belongs to the configured product ID [ref_id=1]. No specific file paths or function names are provided in the advisory.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] states that the fix should ensure a project only fetches issue keys that match the configured product key. The remediation guidance is to validate that the requested issue belongs to the product ID configured in the Zentao integration before returning its details, rather than making an unchecked API call using only the issue key [ref_id=1].
Preconditions
- configThe target GitLab project must have the Zentao integration enabled and configured with a Zentao instance URL, API key, and product ID.
- authThe attacker must have at least Guest access to the GitLab project (or the project must be public, allowing unauthenticated access).
- networkThe GitLab instance must be able to reach the configured Zentao instance.
Reproduction
1. Create a public project with a premium GitLab subscription and configure the Zentao integration with a Zentao instance URL, API token, and a product ID (e.g., product ID 4). 2. Log out and visit `https://gitlab.com/GROUPNAME/PROJECTNAME/-/integrations/zentao/issues` to see the list of issues for the configured product. 3. Click an issue (e.g., bug-8) to view its details at `/-/integrations/zentao/issues/bug-8`. 4. Change the issue key in the URL to another value (e.g., bug-1) to view issues from a different product [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.