CVE-2022-2185: GitLab Remote Code Execution Vulnerability

“A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorised user could import a maliciously crafted project leading to remote code execution,” the company said in an advisory. “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.”

GitLab also fixed 15 security vulnerabilities, including

• XSS in ZenTao integration affecting self hosted instances without strict CSP
• XSS in project settings page
• Unallowed users can read unprotected CI variables
• IP allow-list bypass to access Container Registries
• 2FA status is disclosed to unauthenticated users
• Restrict membership by email domain bypass
• IDOR in sentry issues
• Reporters can manage issues in error tracking
• CI variables provided to runners outside of a group’s restricted IP range
• Regular Expression Denial of Service via malicious web server responses
• Unauthorized read for conan repository
• Open redirect vulnerability
• Group labels are editable through subproject
• Release titles visible for any users if group milestones are associated with any project releases
• Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint

Affected version

• Gitlab CE/EE 14.0 prior to  14.10.5
• Gitlab CE/EE 15.0 prior to 15.0.4
• Gitlab CE/EE 15.1 prior to 15.1.1

Unaffected version

• Gitlab CE/EE 14.10.5
• Gitlab CE/EE 15.0.4
• Gitlab CE/EE 15.1.1

Solution

At present, GitLab has fixed the CVE-2022-2185 vulnerability in the latest version. We strongly recommend that all installations running a version affected by the issues described above are upgraded to the latest version as soon as possible.