Unrated severityNVD Advisory· Published Nov 9, 2022· Updated May 1, 2025

CVE-2022-3483

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A malicious maintainer in GitLab can leak the Datadog integration access token by modifying the integration URL to an attacker-controlled server.

Vulnerability

GitLab CE/EE versions 12.1 through 15.3.4, 15.4.0 through 15.4.3, and 15.5.0 through 15.5.1 are affected. The Datadog integration did not have the exposes_secrets flag set on its URL field, unlike other integrations after previous fixes [1]. This allowed a maintainer to change the integration URL to an attacker-controlled server without resetting the associated access token.

Exploitation

An attacker with Maintainer privileges on a GitLab project can navigate to the Datadog integration settings and modify the URL field to point to a server they control. When GitLab sends authenticated requests to that URL (e.g., test connection or data push), the access token is transmitted to the attacker's server [1].

Impact

Successful exploitation results in the exfiltration of the Datadog integration access token. The attacker can then use this token to access the victim's Datadog account, potentially reading sensitive monitoring data or modifying configurations.

Mitigation

GitLab released fixed versions 15.3.5, 15.4.4, and 15.5.2 on 2022-11-09. Users should upgrade to these versions or later. No workaround is available; the fix adds the exposes_secrets flag to the Datadog integration URL field, causing the token to be reset when the URL is changed [1].

References

Maintainer can leak Datadog API key by changing integration URL (#377799) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=12.1, <15.3.5; >=15.4, <15.4.4; >=15.5, <15.5.2
osv-coords
pkg:bitnami/gitlab
Range: >= 12.1.0, < 15.3.5
GitLab Inc./GitLabv5
Range: >=12.1, <15.3.5

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing `exposes_secrets: true` flag on the `api_url` field of the Datadog integration model allows a maintainer to change the API URL without resetting the stored API key."

Attack vector

A malicious project maintainer navigates to Settings → Integrations → Datadog and modifies the "API URL" field to point to an attacker-controlled server (e.g., a request logging service). When the maintainer clicks "Test settings", GitLab sends an authenticated request containing the Datadog API key (access token) to the attacker's server, exfiltrating the secret [ref_id=1]. The attacker needs only Maintainer permissions on the project and network access to the GitLab instance.

Affected code

The vulnerable file is `app/models/integrations/datadog.rb`, specifically the `api_url` field definition which only has a `public_url` validation but lacks the `exposes_secrets: true` option [ref_id=1]. By contrast, the GitHub integration (`ee/app/models/integrations/github.rb`) had already been patched with `exposes_secrets: true` on its `repository_url` field, and other integrations like Jenkins used `before_validation` callbacks to reset secrets on URL changes [ref_id=1].

What the fix does

The advisory recommends adding `exposes_secrets: true` to the `api_url` field in the Datadog integration model (`app/models/integrations/datadog.rb`) [ref_id=1]. This flag causes GitLab to automatically reset (clear) the stored API key whenever the URL field is changed, preventing exfiltration via URL manipulation. No patch diff is included in the bundle, but the suggested fix mirrors the approach already applied to the GitHub integration's `repository_url` field in the earlier CVE-2022-2882 fix [ref_id=1].

Preconditions

authAttacker must have Maintainer role on the target GitLab project
configA Datadog integration must be enabled on the project with a valid API key stored
networkAttacker must control a server reachable from the GitLab instance to receive the exfiltrated token

Reproduction

1. Prepare two GitLab accounts (Account A and Account B). Account A creates a project and uploads a `.gitlab-ci.yml` file. 2. Account A enables the Datadog integration under Settings → Integrations → Datadog and enters an API key. 3. Account A invites Account B as a Maintainer. 4. Account B logs in, navigates to Settings → Integrations → Datadog, and changes the "API URL" to point to an attacker-controlled request logging server. 5. Account B clicks "Test settings". 6. The Datadog API key is sent to the attacker's server in the request [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000