Heads up, GitLab customers! GitLab has just lately addressed a number of safety bugs with the most recent releases. This patch holds significance as a result of it addresses quite a few bugs, together with a vital severity distant code flaw.
GitLab Patched Safety Bugs
In accordance with a current advisory, GitLab has addressed 16 safety bugs with the most recent releases 15.1.1, 15.0.4, and 14.10.5.
A very powerful of those patches addressed a vital distant execution vulnerability affecting the Challenge Import characteristic. An adversary may exploit the bug through a maliciously crafted venture to execute arbitrary codes. This vulnerability first caught the eye of the safety researcher William Bowling, who then reported it to GitLab through their bug bounty program. GitLab assigned this bug, CVE-2022-2185, a severity rating of 9.9.
In addition to, the service additionally patched three high-severity flaws, which embrace,
- CVE-2022-2235 (CVSS 8.7): A cross-site scripting vulnerability that an adversary may set off by a maliciously crafted ZenTao hyperlink.
- CVE-2022-2230 (CVSS 8.1): One other cross-site scripting vulnerability within the venture settings web page in GitLab CE/EE allowed executing arbitrary JavaScript codes on the goal person’s behalf.
- CVE-2022-2229 (CVSS 7.5): Because of improper authorization in GitLab CE/EE, an attacker may extract the worth of an unprotected variable through names in personal or public tasks.
Alongside these bugs, GitLab patched 8 medium-severity flaws and 4 low-severity bugs affecting the earlier releases. Totally different researchers discovered these bugs individually and reported them to GitLab through HackerOne. Whereas a few of these vulnerabilities caught the eye of GitLab officers as nicely.
GitLab recommends customers improve to the most recent GitLab Group Version (CE) and Enterprise Version (EE) variations to obtain the fixes.
We strongly advocate that each one installations operating a model affected by the problems described beneath are upgraded to the most recent model as quickly as doable.
When no particular deployment sort (omnibus, supply code, helm chart, and so on.) of a product is talked about, this implies every type are affected.
Tell us your ideas within the feedback.
