For the GitLab Community and Enterprise Edition, the developers have released updated versions that close a critical security hole.
Gitlab closes a security gap with new versions of the Community and Enterprise Edition. It allows authenticated attackers to execute injected malicious code by accessing the Import from GitHub API endpoint (CVE-2022-2884, CVSS 9.9risk “critical“).
GitLab does not provide any further details on the vulnerability. The entry in the NIST CVE database is also orphaned. After all, the developers suggest actions that administrators should take if they can’t apply the update yet.
countermeasure
To avoid falling victim to malicious actors, IT managers should at least disable GitHub import. To do this, click on “Menu”-“Admin” and then on “Settings”-“General”. After expanding the tab “Visibility and access controls” you have to uncheck the “GitHub” option under “Import sources” and finally confirm the changes with “Save changes”.
In their security advisory, the GitLab developers also explain how administrators can then check that the GitHub import is actually disabled. They iron out the mistakes GitLab-versions 15.3.1, 15.2.3 such as 15.1.5 of the Community Edition (CE) such as Enterprise Edition (EE) out. These can be downloaded from the GitLab update page or from the GitLab runner repositories.
The GitLab developers strongly recommend updating all affected installations as soon as possible. The vendor-hosted version on Gitlab.com is already up and running with the bug-fixed version. Version 15.2 of the version management GitLab was released about a month ago, which primarily facilitates the documentation of incidents.
