Multiple Vulnerabilities in GitLab CE and EE are Fixed by GitLab

Multiple Vulnerabilities in GitLab CE and EE are Fixed by GitLab

GitLab published a security advisory on August 30, 2022, to remedy a critical security flaw that has been recorded as CVE-2022-2992 (with a CVSS score of 9.9) GitLab Community Edition (CE) and Enterprise Edition (EE) are impacted by this security flaw. The vulnerability was found and reported to HackerOne’s bug bounty program by security researcher called Vakzz.

The report states that the critical vulnerability, identified as CVE-2022-2992, affects GitLab CE/EE versions 11.10 to 15.1.6 and allows remote code execution. Additionally, the vulnerability enables threat actors to import data from the GitHub API endpoint and execute it remotely. GitLab has also patched two critical vulnerabilities with a high impact, identified as CVE-2022-2865 and CVE-2022-2527. Ten medium-severity vulnerabilities and two low severity vulnerabilities were also addressed in the advisory.

Title Severity
Remote Command Execution via GitHub import  Critical
Stored XSS via labels color  High
Content injection via Incidents Timeline description  High
Lack of length validation in Snippets leads to Denial of Service  Medium
Group IP allow-list not fully respected by the Package Registry  Medium
Abusing Gitaly.GetTreeEntries calls leads to denial of service  Medium
Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags  Medium
Regular Expression Denial of Service via special crafted input  Medium
Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events  Medium
Read repository content via LivePreview feature  Medium
Denial of Service via the Create branch API  Medium
Denial of Service via Issue preview  Medium
Brute force attack may guess a password even when 2FA is enabled  Low
IDOR in Zentao integration leaked issue details  Low

Table of fixes

The most recent versions of GitLab, 15.3.2, 15.2.4, and 15.1.6, were published to address these vulnerabilities.

Git labs strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

Source

https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/