Threats
SHARE
Facebook X Pinterest WhatsApp

GitLab Patches Critical RCE in Community and Enterprise Editions

The widely-used DevOps platform GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE).  The vulnerability was reported for a number of versions of GitLab CE/EE: all versions starting from 11.3.4 before 15.1.5all versions starting from 15.2 before 15.2.3all versions starting from 15.3 before 15.3.1 Affected versions allow an authenticated […]

Written By
thumbnail Julien Maury
Julien Maury
Aug 25, 2022
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

The widely-used DevOps platform GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE).

 The vulnerability was reported for a number of versions of GitLab CE/EE:

  • all versions starting from 11.3.4 before 15.1.5
  • all versions starting from 15.2 before 15.2.3
  • all versions starting from 15.3 before 15.3.1

Affected versions allow an authenticated user to pass arbitrary commands remotely by exploiting the import from the GitHub API endpoint. The remote command execution (RCE) vulnerability has been recorded as CVE-2022-2884 and rated a 9.9 — just 0.1 from the highest severity level.

GitLab is a hugely popular open core platform, with 30 million registered users. It allows dev teams to host and manage Git repositories remotely. It also provides DevOps features like CI/CD pipelines for automated deployment (GitLab Runner).

Also read: CI/CD Pipeline is Major Software Supply Chain Risk: Black Hat Researchers

GitLab Instances Must Be Patched Immediately

GitLab.com has already been patched, but users can install, administer, and maintain their own instance that still requires patching. If you run a vulnerable installation, you should upgrade to 15.3.1, 15.2.3, or 15.1.5 as soon as possible. GitLab provides helpful guides to help you update your instance.

For those who can’t upgrade immediately, the only workaround is to disable GitHub as an import source under Menu > Admin > Settings > General > Visibility and access controls. GitLab recommends that its users test the workaround by creating a new project to ensure “GitHub” is no longer available in the import options.

RCE vulnerabilities are critical flaws that allow hackers to inject malicious instructions to break into the targeted systems. When such vulnerabilities are disclosed publicly, cybercriminals usually exploit them actively, so fixes must be applied quickly.

Further reading:

thumbnail Julien Maury

eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts.

Recommended for you...

thumbnail Your Smart Devices Just Fueled a Record-Breaking DDoS Attack
Threats
Your Smart Devices Just Fueled a Record-Breaking DDoS Attack
eSecurityPlanet Staff
Sep 11, 2025
thumbnail Palo Alto Exposes Passwords in Plain Text
Threats
Palo Alto Exposes Passwords in Plain Text
Ken Underhill
Sep 11, 2025
thumbnail 1.6 Million Voices Stolen: Your Voice Could Be Next
Threats
1.6 Million Voices Stolen: Your Voice Could Be Next
eSecurityPlanet Staff
Sep 10, 2025
thumbnail SQL Injection Prevention: 6 Ways to Protect Your Stack
Threats
SQL Injection Prevention: 6 Ways to Protect Your Stack
Matt Gonzales
Jul 9, 2025
eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

facebook
linkedin
x

Company

About us Contact us Advertise with us

Categories

Best Products Networks Cloud Threats Trends Endpoint Applications Compliance

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information