GitLab patches critical remote code execution bug

GitLab has issued a security update to address a critical vulnerability that could lead to remote code execution (RCE).

The vulnerability could allow an authenticated user to achieve remote code execution via the ‘Import from GitHub API’ endpoint, an advisory from GitLab reads.

Tracked as CVE-2022-2884, the security issue is present in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1.

It has since been patched, as GitLab urges all users to update to the latest version.

“These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version,” the blog post reads.

It was reported to GitLab by ‘yvvdwf’ through HackerOne’s bug bounty program.

Other updates

In addition to the critical security patches, version 15.3, released yesterday (August 22), also contains a number of usability and UI improvements as well as more complex password requirements for GitLab accounts.

Source: https://portswigger.net/daily-swig/gitlab-patches-critical-remote-code-execution-bug