GitLab Critical Security Release
Share this:
GitLab has patched a critical vulnerability that could allow an attacker to execute code remotely.
The security issue, which has been rated as critical, has been discovered in all versions of GitLab, starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1.
The security bugs affect both GitLab Community Edition and Enterprise Edition. GitLab has recommended users upgrade to the latest version.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version
| Vulnerability Title | CVE ID | Severity |
| Remote Command Execution via Project Imports | CVE-2022-2185 | critical |
| XSS in ZenTao integration affects self-hosted instances without strict CSP | CVE-2022-2235 | high |
| XSS in the project settings page | CVE-2022-2230 | high |
| Unallowed users can read unprotected CI variables | CVE-2022-2229 | high |
| IP allow-list bypass to access Container Registries | CVE-2022-1983 | medium |
| 2FA status is disclosed to unauthenticated users | CVE-2022-1963 | medium |
| Restrict membership by email domain bypass | CVE-2022-2228 | medium |
| IDOR in sentry issues | CVE-2022-1981 | medium |
| Reporters can manage issues in error tracking | CVE-2022-2243 | medium |
| CI variables provided to runners outside of a group’s restricted IP range | CVE-2022-2244 | medium |
| Regular Expression Denial of Service via malicious web server responses | CVE-2022-1954 | medium |
| Unauthorized read for Conan repository | CVE-2022-2270 | low |
| Open redirect vulnerability | CVE-2022-2250 | low |
| Group labels are editable through subproject | CVE-2022-1999 | low |
| Release titles visible for any users if group milestones are associated with any project releases | CVE-2022-2281 | low |
| Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint | CVE-2022-2227 | medium |
GitLab strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
