GitLab Patches Critical RCE in Community and Enterprise Editions

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The widely-used DevOps platform GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE).

 The vulnerability was reported for a number of versions of GitLab CE/EE:

  • all versions starting from 11.3.4 before 15.1.5
  • all versions starting from 15.2 before 15.2.3
  • all versions starting from 15.3 before 15.3.1

Affected versions allow an authenticated user to pass arbitrary commands remotely by exploiting the import from the GitHub API endpoint. The remote command execution (RCE) vulnerability has been recorded as CVE-2022-2884 and rated a 9.9 — just 0.1 from the highest severity level.

GitLab is a hugely popular open core platform, with 30 million registered users. It allows dev teams to host and manage Git repositories remotely. It also provides DevOps features like CI/CD pipelines for automated deployment (GitLab Runner).

Also read: CI/CD Pipeline is Major Software Supply Chain Risk: Black Hat Researchers

GitLab Instances Must Be Patched Immediately

GitLab.com has already been patched, but users can install, administer, and maintain their own instance that still requires patching. If you run a vulnerable installation, you should upgrade to 15.3.1, 15.2.3, or 15.1.5 as soon as possible. GitLab provides helpful guides to help you update your instance.

For those who can’t upgrade immediately, the only workaround is to disable GitHub as an import source under Menu > Admin > Settings > General > Visibility and access controls. GitLab recommends that its users test the workaround by creating a new project to ensure “GitHub” is no longer available in the import options.

RCE vulnerabilities are critical flaws that allow hackers to inject malicious instructions to break into the targeted systems. When such vulnerabilities are disclosed publicly, cybercriminals usually exploit them actively, so fixes must be applied quickly.

Further reading:

Julien Maury Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required