Multiple Vulnerabilities in GitLab CE and EE are Fixed by GitLab
GitLab published a security advisory on August 30, 2022, to remedy a critical security flaw that has been recorded as CVE-2022-2992 (with a CVSS score of 9.9) GitLab Community Edition (CE) and Enterprise Edition (EE) are impacted by this security flaw. The vulnerability was found and reported to HackerOne’s bug bounty program by security researcher called Vakzz.
The report states that the critical vulnerability, identified as CVE-2022-2992, affects GitLab CE/EE versions 11.10 to 15.1.6 and allows remote code execution. Additionally, the vulnerability enables threat actors to import data from the GitHub API endpoint and execute it remotely. GitLab has also patched two critical vulnerabilities with a high impact, identified as CVE-2022-2865 and CVE-2022-2527. Ten medium-severity vulnerabilities and two low severity vulnerabilities were also addressed in the advisory.
| Title | Severity |
| Remote Command Execution via GitHub import | Critical |
| Stored XSS via labels color | High |
| Content injection via Incidents Timeline description | High |
| Lack of length validation in Snippets leads to Denial of Service | Medium |
| Group IP allow-list not fully respected by the Package Registry | Medium |
| Abusing Gitaly.GetTreeEntries calls leads to denial of service | Medium |
| Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags | Medium |
| Regular Expression Denial of Service via special crafted input | Medium |
| Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events | Medium |
| Read repository content via LivePreview feature | Medium |
| Denial of Service via the Create branch API | Medium |
| Denial of Service via Issue preview | Medium |
| Brute force attack may guess a password even when 2FA is enabled | Low |
| IDOR in Zentao integration leaked issue details | Low |
Table of fixes
The most recent versions of GitLab, 15.3.2, 15.2.4, and 15.1.6, were published to address these vulnerabilities.
Git labs strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
Source
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
