GitLab wants users to urgently install an update for versions 15.1, 15.2, and 15.3 of its community and enterprise edition to address a flaw attackers could exploit to remotely execute commands via its GitHub import tool.<\/p>\n
The vulnerability is tracked as CVE-2022-2884 and has been assigned a Common Vulnerability Scoring System (CVSS) v3 of 9.9 out of 10.<\/p>\n
CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. A rating of 9.9 represents a critical security flaw.<\/p>\n
“Today we are releasing versions 15.3.1, 15.2.3, and 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE),” application security specialist at GitLab, Nick Malcolm, said in a statement<\/a><\/strong>.<\/p>\n “These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.”<\/p>\n By exploiting the flaw, a malicious actor can take over a target machine, steal or delete code, or trick project managers into accepting and running malicious code.<\/p>\n GitLab recommends using a workaround for those unable to install the security updates.<\/p>\n The workaround involves disabling GitHub import, a tool used to transfer entire software projects from GitHub to GitLab.<\/p>\n To apply the workaround, users can follow these steps:<\/p>\n\n