Gitlab Patches Critical Flaws that lead to RCE
GitLab has released patches for two critical security flaws in Git that allows attackers to remotely execute arbitrary code and take advantage of integer overflows.
The flaws, tracked as CVE-2022-41903 and CVE-2022-23521, were patched in the recent release, which includes all new Git versions released after v2.30.7.
The first flaw CVE-2022-41903 is due to service’s commit formatting component, which enables the display of commits in arbitrary formats, An integer overflow could occur when padding operators are processed which might result in arbitrary heap writes, which might allow threat actors to perform remote code execution.
The second flaw CVE-2022-22521 affects the way Git’s gitattributes parsing mechanism defines path attributes. Multiple integer overflows could result from parsing gitattributes in a number of circumstances.
These flaws were discovered as part of a security source code audit of Git sponsored by OSTIF by security experts from X41 and GitLab.
Upgrading to the most recent Git release (v2.39.1) is always the best method to guard against attacks that attempt to make use of these vulnerabilities.