CVE-2022-3767
📋 TL;DR
CVE-2022-3767 is a vulnerability in GitLab's DAST analyzer where missing validation allows custom request headers to be sent with every request regardless of the target host. This affects all GitLab versions from 1.11.0 to 3.0.32. Organizations using vulnerable GitLab instances for security scanning are affected.
💻 Affected Systems
- GitLab DAST analyzer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious headers to perform server-side request forgery (SSRF), access internal systems, or manipulate application behavior by sending arbitrary headers to any scanned host.
Likely Case
Unauthorized headers could be sent to internal or external systems during DAST scans, potentially bypassing security controls or exposing sensitive information through header manipulation.
If Mitigated
With proper network segmentation and egress filtering, the impact is limited to header injection within allowed scanning boundaries.
🎯 Exploit Status
Exploitation requires ability to configure or trigger DAST scans, which typically requires at least project-level access in GitLab.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.32 and later
Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3767.json
Restart Required: Yes
Instructions:
1. Update GitLab to version 3.0.32 or later. 2. Restart GitLab services. 3. Verify DAST analyzer is functioning correctly after update.
🔧 Temporary Workarounds
Disable DAST analyzer
linuxTemporarily disable the DAST analyzer feature until patching is possible
gitlab-rails runner "Feature.disable(:security_dast)"
Restrict DAST scan targets
allLimit DAST scanning to approved hosts only through network policies
🧯 If You Can't Patch
- Implement strict egress filtering to limit what systems DAST scanners can communicate with
- Review and restrict user permissions for configuring DAST scans to trusted personnel only
🔍 How to Verify
Check if Vulnerable:
Check GitLab version and DAST analyzer version. If GitLab DAST analyzer is between 1.11.0 and 3.0.31, the system is vulnerable.Check Version:
gitlab-rake gitlab:env:info | grep -i versionVerify Fix Applied:
Verify GitLab DAST analyzer version is 3.0.32 or later and test that custom headers are properly validated during scans.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP headers in DAST scan logs
- DAST scans targeting unexpected hosts
- Multiple failed scan attempts with custom headers
Network Indicators:
- Unexpected outbound connections from GitLab DAST scanner
- HTTP requests with unusual headers to internal systems
SIEM Query:
source="gitlab" AND ("DAST" OR "security_scan") AND ("header" OR "custom_request")