GitLab has released updates concerning CVE-2022-2884 which impacts versions 11.3.4 through 15.1.4, 15.2 through 15.2.3, and 15.3. The vulnerability has a CVSS criticality score of 9.9 and allows for an attacker to perform remote command execution via GitHub import, a tool used for importing entire software project from GitHub to GitLab. GitLab is a web-based Git repository with over 30 million users that allows for developer teams to manage their code remotely.
GitLab has indicated that this vulnerability affects both community and enterprise editions of GitLab as well as all deployment types – omnibus, source code, helm chart, etc. The latest versions that patch this vulnerability are 15.1.5, 15.2.3, and 15.3.1. If it is not possible to update to the latest version, GitLab has also released a workaround which disables GitHub import using the following steps:
- Login to GitLab using an administrator account
- Click on “Menu” and then on “Admin”
- Click on “Settings” and then on “General”
- Expand “Visibility and Access Controls”
- Disable the “GitHub” option under “Import sources”
- Click “Save changes”