GitLab urges users to patch critical vulnerability
GitLab wants users to urgently install an update for versions 15.1, 15.2, and 15.3 of its community and enterprise edition to address a flaw attackers could exploit to remotely execute commands via its GitHub import tool.
The vulnerability is tracked as CVE-2022-2884 and has been assigned a Common Vulnerability Scoring System (CVSS) v3 of 9.9 out of 10.
CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. A rating of 9.9 represents a critical security flaw.
“Today we are releasing versions 15.3.1, 15.2.3, and 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE),” application security specialist at GitLab, Nick Malcolm, said in a statement.
“These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.”
By exploiting the flaw, a malicious actor can take over a target machine, steal or delete code, or trick project managers into accepting and running malicious code.
GitLab recommends using a workaround for those unable to install the security updates.
The workaround involves disabling GitHub import, a tool used to transfer entire software projects from GitHub to GitLab.
To apply the workaround, users can follow these steps:
- Log in using an administrator account to your GitLab installation.
- Click Menu, then Admin.
- Select Settings, then General.
- Expand the Visibility and access control tab.
- Disable the GitHub option under Import sources.
- Hit Save changes.
Users can verify if the workaround has been applied correctly by attempting to import a project. If successful, they will not see GitHub as an import option.
Now read: Microsoft finds severe security flaw in ChromeOS
Loading ...