- GitLab has released patches for the critical vulnerability in its software, which has a CVSS score of 9.9.
- The vulnerability, which can be tracked as CVE-2022-2884 allows remote code execution via the “Import from GitHub” feature.
- For those who do not want to fully update their GitLab instances, the organization also provides a workaround for this vulnerability.
GitLab, one of the popular DevOps platforms has issued patches for critical vulnerabilities that affect its software. The vulnerability, which can be tracked as CVE-2022-2884 and has a CVSS score of 9.9, affects both the Community and the Enterprise editions of GitLab.
Allowing remote code execution
The vulnerability allows unauthenticated users to conduct remote code execution via “Import” from the GitHub endpoint. This vulnerability affects the following versions of GitLab, both for Community and Enterprise editions:
- From 11.3.4 (included) to 15.1.5 (excluded)
- From 15.2 (included) to 15.2.3 (excluded)
- From 15.3 (included) to 15.3.1 (excluded)
That means 15.1.5, 15.2.3, and 15.3.1 versions of GitLab software are currently safe, thanks to the update from the organization. Updating the GitLab instances to the aforementioned versions will fix the problem. However, if you don’t want to update your instance for any reason, you can also follow the workaround guide for disabling GitHub import, as follows:
- Click “Menu” > “Admin”
- Click “Settings” > “General”
- Expand the “Visibility and access controls” tab.
- Under “Import sources” disable the “GitHub” option.
- Click “Save changes”
GitLab has no evidence of exploitation of this vulnerability in the wild, yet.