GitLab releases patch for critical flaw in its community and enterprise software

The DevOps platform GitLab released patches this week to address a critical security flaw in its software that could lead to the execution of arbitrary code on affected systems.

Tracked as CVE-2022-2884, the issue is rated 9.9 on the CVSS vulnerability rating system and affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) from 11.3.4 forward 15.1.5, 15.2 before 15.2. 3, and 15.3 before 15.3.1.

At its core, the security weakness is a case of authenticated remote code execution that can be triggered through the GitHub import API. GitLab credited yvvdwf with discovering and reporting the flaw.

cyber security

Although the issue has been resolved in versions 15.3.1, 15.2.3, 15.1.5, users also have the option to protect against the flaw by temporarily disabling the GitHub import option –

  • Click “Menu” -> “Admin”
  • Click “Settings” -> “General”
  • Expand the “Visibility and Access Controls” tab
  • Under “Import sources”, disable the “GitHub” option
  • Click “Save Changes”

There is no evidence that the problem is exploited in attacks in the wild. That said, users running an affected installation are recommended to update to the latest version as soon as possible.