Security
Headlines
HeadlinesLatestCVEs

Headline

GitLab Issues Patch for Critical Flaw in its Community and Enterprise Software

DevOps platform GitLab this week issued patches to address a critical security flaw in its software that could lead to arbitrary code execution on affected systems. Tracked as CVE-2022-2884, the issue is rated 9.9 on the CVSS vulnerability scoring system and impacts all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, 15.2 before 15.2.3,

The Hacker News
#vulnerability#git#rce#auth#The Hacker News

DevOps platform GitLab this week issued patches to address a critical security flaw in its software that could lead to arbitrary code execution on affected systems.

Tracked as CVE-2022-2884, the issue is rated 9.9 on the CVSS vulnerability scoring system and impacts all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, 15.2 before 15.2.3, and 15.3 before 15.3.1.

At its core, the security weakness is a case of authenticated remote code execution that can be triggered via the GitHub import API. GitLab credited yvvdwf with discovering and reporting the flaw.

While the issue has been resolved in versions 15.3.1, 15.2.3, 15.1.5, users also have the option of securing against the flaw by temporarily disabling the GitHub import option -

  • Click “Menu” -> “Admin”
  • Click “Settings” -> “General”
  • Expand the “Visibility and access controls” tab
  • Under “Import sources” disable the “GitHub” option
  • Click “Save changes”

There is no evidence that the issue is being exploited in in-the-wild attacks. That said, users running an affected installation are recommended to update to the latest version as soon as possible.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

CVE-2022-2884

A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint

Update now! GitLab issues critical security release for RCE vulnerability

Categories: Exploits and vulnerabilities Categories: News Tags: GitLab Tags: RCE Tags: CVE-2022-2884 Tags: GitHub Tags: import GitLab has released important security fixes to patch for an RCE vulnerability, known as CVE-2022-2884. (Read more...) The post Update now! GitLab issues critical security release for RCE vulnerability appeared first on Malwarebytes Labs.