CVE-2022-3819

Vulnerability

An improper authorization vulnerability exists in the award emoji API of GitLab CE/EE. The API only checks read_xxx access to the parent noteable (e.g., issue or merge request) but does not verify the user's access to the specific internal note. This affects all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 [1].

Exploitation

To exploit this, an attacker must know the note_id of an internal note. This can be obtained from email notifications if the user previously had access to the note. With the note ID, the attacker can send a request to /api/v4/projects/:id/issues/:issue_iid/notes/:note_id/award_emoji and award emojis to that note, even without read access to the note itself [1].

Impact

A malicious user can award emojis on internal notes they are not authorized to view, potentially altering the feedback or sentiment on those notes. While the note content remains hidden, the attacker can manipulate emoji reactions, which may impact workflow or create confusion [1].

Mitigation

Upgrade to GitLab CE/EE versions 15.3.5, 15.4.4, or 15.5.2 or later, which include a fix for this issue [1]. No workarounds are available; upgrading is recommended.