CVE-2022-2533 is a security vulnerability affecting GitLab versions from 12.10 up to but not including 15.1.6, versions 15.2 up to but not including 15.2.4, and versions 15.3 up to but not including 15.3.2. The vulnerability arises due to improper access control related to Package Registries when IP address restrictions are configured. Specifically, GitLab fails to correctly enforce authentication checks for some Package Registries under these conditions. This flaw allows an attacker who already possesses a valid Deploy Token to bypass IP address restrictions and misuse the token from any location, effectively circumventing intended network access controls. The vulnerability is classified under CWE-287 (Improper Authentication). The CVSS v3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), high privileges required (PR:H), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H) but no impact on availability (A:N). No known exploits in the wild have been reported. The issue was publicly disclosed on October 17, 2022, and patches have been released in GitLab versions 15.1.6, 15.2.4, and 15.3.2 to address this vulnerability. The root cause is a failure to properly enforce IP-based restrictions on Deploy Tokens used with Package Registries, which are commonly used for automated deployment and package management in CI/CD pipelines.

For European organizations, this vulnerability poses a significant risk primarily to confidentiality and integrity of software supply chains and deployment processes. Organizations using GitLab for source code management and CI/CD pipelines that leverage Package Registries and Deploy Tokens could have their tokens misused by attackers who have already obtained valid tokens, regardless of IP restrictions intended to limit token usage to trusted networks. This could lead to unauthorized access to private packages, insertion of malicious code or packages, and potential compromise of downstream systems relying on these packages. The impact is heightened in sectors with stringent regulatory requirements for software integrity and supply chain security, such as finance, healthcare, and critical infrastructure. Additionally, the ability to bypass IP restrictions undermines network segmentation and perimeter defenses, increasing the attack surface. While exploitation requires possession of a valid Deploy Token (high privilege), the lack of user interaction and network-based attack vector means that attackers can operate remotely and stealthily once tokens are compromised. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

European organizations should prioritize upgrading GitLab instances to the patched versions (15.1.6, 15.2.4, 15.3.2 or later) as soon as possible to remediate this vulnerability. Beyond patching, organizations should audit and rotate all Deploy Tokens, especially those with broad permissions or long lifetimes, to limit potential misuse. Implement strict token management policies, including minimal privilege principles and expiration dates. Review and tighten IP restriction configurations and consider additional network-level controls such as VPNs or zero-trust network access to further restrict token usage. Monitor access logs for anomalous usage patterns of Deploy Tokens, such as access from unexpected IP addresses or unusual times. Employ multi-factor authentication (MFA) where possible for token issuance and management interfaces. Finally, integrate supply chain security best practices, including package signing and verification, to detect and prevent tampering with packages retrieved via Package Registries.