GitLab released patches where they fixed a critical remote code execution vulnerability. It is labeled CVE-2022-2884 with a CVSS score of 9.9. This critical vulnerability in the GitHub Import API can be exploited by an attacker who has successfully obtained authentication.
- GitLab CE/EE versions between 11.3.4 – 15.1.5
- GitLab CE/EE 15.2 versions before 15.2.3
- GitLab CE/EE 15.3 versions before 15.3.1
At its main, the security weakness is a situation of authenticated distant code execution that can be activated by way of the GitHub import API. GitLab credited yvvdwf with identifying and reporting the flaw.
Recommendations for GitLab issue Patch
All installations running a version impacted by the issue are advised to update as soon as possible to the most recent version. If you cannot upgrade immediately, disabling the GitHub import function can help you secure your GitLab installation from this vulnerability.
Below actions should be followed after logging in with an administrator account to your GitLab installation:
- Go to Menu -> Admin -> Settings -> General
- Expand the Visibility and access controls tab.
- Under Import sources, disable the GitHub option, and save the configuration.