Gitlab patches critical RCE bug in latest security release

Gitlab has patched a critical vulnerability that could allow an attacker to execute code remotely.

The security issue, which has been rated as critical, has been discovered in all versions of GitLab, starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1.

An authenticated user could import a maliciously crafted project leading to remote code execution, an advisory from GitLab reads.

The bug (CVE-2022-2185) has been patched in the latest version.

Multiple vulnerabilities

Fixes for a number of other vulnerabilities were also released in the latest version, including two separate cross-site scripting (XSS) bugs.

More details about the patched vulnerabilities can be found in the Gitlab security advisory.

The security bugs affect both GitLab Community Edition and Enterprise Edition. Gitlab has recommended users upgrade to the latest version.

The advisory reads: “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

“When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”

Source: https://portswigger.net/daily-swig/gitlab-patches-critical-rce-bug-in-latest-security-release