September 26, 2023

GitLab has patched a critical vulnerability that could allow an attacker to execute code remotely.

The security issue, which has been rated as critical, has been discovered in all versions of GitLab, starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1.

The security bugs affect both GitLab Community Edition and Enterprise Edition. GitLab has recommended users upgrade to the latest version.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version

Vulnerability TitleCVE IDSeverity
Remote Command Execution via Project ImportsCVE-2022-2185critical
XSS in ZenTao integration affects self-hosted instances without strict CSPCVE-2022-2235high
XSS in the project settings pageCVE-2022-2230high
Unallowed users can read unprotected CI variablesCVE-2022-2229high
IP allow-list bypass to access Container RegistriesCVE-2022-1983medium
2FA status is disclosed to unauthenticated usersCVE-2022-1963medium
Restrict membership by email domain bypassCVE-2022-2228medium
IDOR in sentry issuesCVE-2022-1981medium
Reporters can manage issues in error trackingCVE-2022-2243medium
CI variables provided to runners outside of a group’s restricted IP rangeCVE-2022-2244medium
Regular Expression Denial of Service via malicious web server responsesCVE-2022-1954medium
Unauthorized read for Conan repositoryCVE-2022-2270low
Open redirect vulnerabilityCVE-2022-2250low
Group labels are editable through subprojectCVE-2022-1999low
Release titles visible for any users if group milestones are associated with any project releasesCVE-2022-2281low
Job information is leaked to users who previously were maintainers via the Runner Jobs API endpointCVE-2022-2227medium

GitLab strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

Leave a Reply

%d bloggers like this: