GitLab has released updates concerning CVE-2022-2884 which impacts versions 11.3.4 through 15.1.4, 15.2 through 15.2.3, and 15.3. The vulnerability has a CVSS criticality score of 9.9 and allows for an attacker to perform remote command execution via GitHub import, a tool used for importing entire software project from GitHub to GitLab. GitLab is a web-based Git repository with over 30 million users that allows for developer teams to manage their code remotely.
GitLab has indicated that this vulnerability affects both community and enterprise editions of GitLab as well as all deployment types – omnibus, source code, helm chart, etc. The latest versions that patch this vulnerability are 15.1.5, 15.2.3, and 15.3.1. If it is not possible to update to the latest version, GitLab has also released a workaround which disables GitHub import using the following steps:
- Login to GitLab using an administrator account
- Click on “Menu” and then on “Admin”
- Click on “Settings” and then on “General”
- Expand “Visibility and Access Controls”
- Disable the “GitHub” option under “Import sources”
- Click “Save changes”
Typically, after a vulnerability of this magnitude is released, it is only a few days before active exploitation is seen in the wild. This highlights the need for not only a good threat intelligence team to discover these vulnerabilities shortly after they are released, but also highlights the need for frequent updating/patching. If this vulnerability isn’t patched in a timely manner, it can allow for an attacker to take control over a server, steal and delete source code, capture user and administrative credentials, as well as more disruptive actions. Exploitation of this type of vulnerability can lead to further compromise of both an organization itself, as well as supply-chain attacks similar to the 2020 SolarWinds compromised software update.