CVE-2022-2992: GitLab Remote Code Execution Vulnerability

DevOps platform GitLab has issued patches for a critical remote code execution vulnerability impacting its GitLab Community Edition (CE) and Enterprise Edition (EE) releases.

Tracked as CVE-2022-2992 (CVSS 9.9/10 severity), the security flaw can be exploited via the Import from GitHub API endpoint but requires authentication to be triggered.

“A vulnerability in GitLab CE/EE affecting all versions from 11.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint,” the company said in an advisory published on August 30.

As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version,” the company added.

The CVE-2022-2992 was reported by security researcher ‘vakzz’ through HackerOne’s bug bounty program. There is no evidence that the issue is being exploited in in-the-wild attacks.

GitLab also fixed other 14 security vulnerabilities, including

  • CVE-2022-2865: Stored XSS via labels color
  • CVE-2022-2527: Content injection via Incidents Timeline description
  • CVE-2022-2592: Lack of length validation in Snippets leads to Denial of Service
  • CVE-2022-2533: Group IP allow-list not fully respected by the Package Registry
  • CVE-2022-2455: Abusing Gitaly.GetTreeEntries calls leads to denial of service
  • CVE-2022-2428: Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags
  • CVE-2022-2908: Regular Expression Denial of Service via special crafted input
  • CVE-2022-2630: Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events
  • CVE-2022-2931: Regex backtracking through the Commit message field
  • CVE-2022-2907: Read repository content via LivePreview feature
  • Denial of Service via the Create branch API
  • Denial of Service via Issue preview
  • CVE-2022-3031: Brute force attack may guess a password even when 2FA is enabled
  • IDOR in Zentao integration leaked issue details

GitLab Community Edition and Enterprise Edition versions 15.3.2, 15.2.4 and 15.1.6 contain patches for these vulnerabilities.

In light of the criticality of some of the issues, users running affected installations are highly recommended to upgrade to the latest version as soon as possible.