GitLab races out vulnerability-fix release

GitLab last week issued an emergency patch covering 16 vulnerabilities, one of them given a  critical risk rating, along with three rated high severity.

To fix the vulnerabilities, the organisation issued an out-of-cycle release of versions 15.1.1, 15.0.4 and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE), saying it “strongly recommends that all GitLab installations be upgraded to one of these versions immediately”.

The critical vulnerability, carrying a Common Vulnerability Scoring System score of 9.8, is CVE-2022-2185, discovered by HackerOne member “vakzz”.

The advisory states that “an authorised user could import a maliciously crafted project leading to remote code execution”.

It’s essentially a command injection bug arising from improper neutralisation of command elements.

The three high-rated bugs are:

• CVE-2022-2235 – a sanitisation issue in GitLab EE’s external issue tracker, allowing an attacker to perform cross-site scripting via a malicious ZenTao link;
• CVE-2022-2230 – A stored cross-site scripting vulnerability in GitLab CC/EE’s project settings page, allowing an attacker to execute arbitrary JavaScript on a victim's behalf; and
• CVE-2022-2229 – an authorisation bug in both the community and enterprise editions, that allow an attacker to extract unprotected variable values from projects.

GitLab.com is already running the patched version.