GitLab released patches where they fixed a critical remote code execution vulnerability. It is labeled CVE-2022-2884 with a CVSS score of 9.9. This critical vulnerability in the GitHub Import API can be exploited by an attacker who has successfully obtained authentication. The RCE vulnerability affects the following versions of GitLab Community Edition and GitLab Enterprise Edition products.
- GitLab CE/EE versions between 11.3.4 – 15.1.5
- GitLab CE/EE 15.2 versions before 15.2.3
- GitLab CE/EE 15.3 versions before 15.3.1
GitLab, a web-based Git repository tool, provides DevOps functionality with remote access. CVE-2022-2884 was reported during one of GitLab’s bug bounty programs. GitLab published an article related to the issue but has not disclosed any active exploitation in the wild.
All installations running a version impacted by the issue are advised to update as soon as possible to the most recent version. If you cannot upgrade immediately, disabling the GitHub import function can help you secure your GitLab installation from this vulnerability.
Below actions should be followed after logging in with an administrator account to your GitLab installation:
- Go to Menu -> Admin -> Settings -> General
- Expand the Visibility and access controls tab.
- Under Import sources, disable the GitHub option, and save the configuration.