GitLab has released updates to address a remote code execution flaw for its GitLab Community Edition (CE) and Enterprise Edition (EE). Tracked as CVE-2022-2884, the vulnerability is rated as critical and is assigned a CVSS score of 9.9.
An authenticated attacker could exploit this vulnerability to execute commands remotely on vulnerable systems via Import from GitHub API endpoint. GitLab has accredited security researcher yvvdwf for reporting this vulnerability through their HackerOne bug bounty program. Successful exploitation of the vulnerability can lead to executing arbitrary commands, installing malware, or a complete takeover of a compromised system by an attacker.
GitLab is a DevOps software suite that provides the ability to create, protect, and manage software in a single program. For major DevOps and DevSecOps projects, GitLab serves as an open-source code repository and collaborative software development platform. GitLab is free to use for individuals. It provides a place for online code storage as well as tools for CI/CD and bug tracking.
Affected versions
- GitLab CE/EE from 11.3.4 before 15.1.5
- GitLab CE/EE 15.2 before 15.2.3
- GitLab CE/EE 15.3 before 15.3.1
The vulnerability affects all deployment types (omnibus, source code, helm chart, etc.).
Mitigation
GitLab has fixed the vulnerability in versions 15.3.1, 15.2.3, and 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). For more information, please visit the GitLab release announcement page.
Workaround
If the users are not able to install the updates, they can protect their GitLab installations from this vulnerability by following the workaround steps mentioned below.
Disabling GitHub import
Perform the following steps after login using the administrator account:
- Click Menu -> Admin.
- Click Settings -> General.
- Expand the Visibility and access Controls tab.
- Under Import sources disable the GitHub option.
- Click Save changes.
Verifying the workaround
In a browser window, login as any user.
- Click + on the top bar.
- Click New project/repository.
- Click Import project.
- Verify that GitHub does not appear as an import option.
Qualys Detection
Qualys customers can scan their devices with QID 376864 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://thehackernews.com/2022/08/gitlab-issues-patch-for-critical-flaw.html
https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
https://www.bleepingcomputer.com/news/security/gitlab-strongly-recommends-patching-critical-rce-vulnerability/