⚡ TL;DR | Go Straight to the GitLab Report
GitLab has released new versions (15.3.1, 15.2.3, 15.1.5) for their Community Edition (CE) and Enterprise Edition (EE) in response to a critical Remote Command Execution (RCE) vulnerability. The vulnerability could allow an attacker to run code on the target machine, inject malware and backdoors, or even take complete control of the machine.
CVE-2022-2884
The vulnerability tracked as CVE-2022-2884 received a critical CVSS score of 9.9 and allows an authenticated user to trigger remote code execution via the GitHub import API. It affects all versions of GitLab CE/EE starting from 11.3.4 before 15.1.5, 15.2 before 15.2.3, and 15.3 before 15.3.1. GitLab strongly recommends all users update their installations to any of the fixed versions 15.3.1, 15.2.3, or 15.1.5 as soon as possible. GitLab.com is already running the patched version.
Disabling the GitHub Import Option
If it is not possible to update your GitLab installation right away, there is a workaround to protect yourself against this vulnerability by disabling the GitHub import. Log in using an administrator account to your GitLab installation and perform the following:
- Click „Menu“ -> „Admin“.
- Click „Settings“ -> „General“.
- Expand the „Visibility and access controls“ tab.
- Under „Import sources“ disable the „GitHub“ option.
- Click „Save changes“.
Find Vulnerable GitLab Installs
To help with mitigating the risk of this vulnerability as soon as possible, we’ve created a report to list all GitLab Linux software along with details like the version, description, install date, and more so you know where your GitLab installations are located and which version they are running.