Heads up, GitLab customers! GitLab has lately addressed a number of safety bugs with the newest releases. This patch holds significance as a result of it addresses quite a few bugs, together with a crucial severity distant code flaw.
GitLab Patched Safety Bugs
In accordance with a latest advisory, GitLab has addressed 16 safety bugs with the newest releases 15.1.1, 15.0.4, and 14.10.5.
A very powerful of those patches addressed a crucial distant execution vulnerability affecting the Mission Import function. An adversary may exploit the bug by way of a maliciously crafted undertaking to execute arbitrary codes. This vulnerability first caught the eye of the safety researcher William Bowling, who then reported it to GitLab by way of their bug bounty program. GitLab assigned this bug, CVE-2022-2185, a severity rating of 9.9.
Moreover, the service additionally patched three high-severity flaws, which embody,
- CVE-2022-2235 (CVSS 8.7): A cross-site scripting vulnerability that an adversary may set off by a maliciously crafted ZenTao hyperlink.
- CVE-2022-2230 (CVSS 8.1): One other cross-site scripting vulnerability within the undertaking settings web page in GitLab CE/EE allowed executing arbitrary JavaScript codes on the goal consumer’s behalf.
- CVE-2022-2229 (CVSS 7.5): Because of improper authorization in GitLab CE/EE, an attacker may extract the worth of an unprotected variable by way of names in non-public or public tasks.
Alongside these bugs, GitLab patched 8 medium-severity flaws and 4 low-severity bugs affecting the earlier releases. Completely different researchers discovered these bugs individually and reported them to GitLab by way of HackerOne. Whereas a few of these vulnerabilities caught the eye of GitLab officers as properly.
GitLab recommends customers improve to the newest GitLab Neighborhood Version (CE) and Enterprise Version (EE) variations to obtain the fixes.
We strongly advocate that every one installations operating a model affected by the problems described under are upgraded to the newest model as quickly as attainable.
When no particular deployment kind (omnibus, supply code, helm chart, and many others.) of a product is talked about, this implies every kind are affected.
Tell us your ideas within the feedback.