DevOps platform GitLab has released security updates to fix a critical remote code execution vulnerability, tracked as CVE-2022-2884 (CVSS 9.9), affecting its GitLab Community Edition (CE) and Enterprise Edition (EE) releases.
An authenticated attacker can trigger the flaw via the GitHub import API.
“A vulnerability in GitLab CE/EE affecting all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.” reads the advisory published by the company.
“We strongly recommend that all installations running a version affected by the issues described are upgraded to the latest version as soon as possible.”
The researchers yvvdwf reported the vulnerability through the company HackerOne bug bounty program.
The company also provided a workaround for those unable to update their installations immediately, GitLab recommends disabling the GitHub import function from the ‘Visibility and access controls’ tab in the Settings menu once authenticated as “administrator.”
It is still unclear if the vulnerability is actively exploited in attacks in the wild.
(SecurityAffairs – hacking, RCE)