- GitLab released an important patch addressing eight medium severity flaws and six low-severity bugs.
- RCE vulnerability was discovered by a security researcher, William Bowling, and reported to GitLab via the bug bounty program.
- GitLab recommends users upgrade their installations to the newest version.
GitLab released a new patch fixing multiple issues, including one critical RCE vulnerability and other security issues. The patch fixes the bugs discovered through versions 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
GitLab released new patches for security bugs
The issue was discovered by security researcher William Bowling, who reported it to GitLab via the bug bounty program. By exploiting the vulnerability, an unauthorized user could execute arbitrary code on the server using the project import feature. GitLab scored the vulnerability with a 9.9 severity score and tracked it as CVE-2022-2185. The new release also patched three high-severity issues:
- CVE-2022-2235 (CVSS 8.7): Insufficient sanitization in GitLab EE’s external issue tracker allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link.
- CVE-2022-2229 (CVSS 7.5): An improper authorization issue in GitLab CE/EE allows an attacker to extract the value of an unprotected variable they know the name of in public or private projects a member of.
Other than these vulnerabilities, GitLab patched eight medium severity flaws, and six low-severity bugs affecting the previous releases. The DevOps platform recommends that all GitLab installations be upgraded to the latest version immediately.
« We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. »
GitLab publishes patches for vulnerabilities in devoted security releases. The platform releases its security bug fixes in two types; a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities.