GitLab has released versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and it’s recommended that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab and GitHub are open-source code repository platforms allowing anyone to collaborate on projects. GitLab focuses on providing tools for teams working on software development projects (repositories), while GitHub focuses more on managing the workflow of individual developers and organizations. The name GitLab was chosen because it combines GitHub and Lighthouse (the company that develops the source code management system).
GitLab has millions of users worldwide. Since no specific deployment type (omnibus, source code, helm chart, etc.) is mentioned in the release, this means all types are affected.
The main reason to apply this security update as soon as possible is CVE-2022-2884, a Remote Command Execution (RCE) vulnerability in Github import. The vulnerability’s severity was given a CVSS score of 9.9 out of 10.
The vulnerability in GitLab CE/EE affects all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1. The flaw allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. By making use of this vulnerability, a threat actor could take control over the server, steal or delete source code, perform malicious commits, and more.
Users are advised to upgrade to the latest security release for their supported version. To update GitLab, see the GitLab update page.
If you're unable to update right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.
Disable GitHub import
Login using an administrator account to your GitLab installation and perform the following:
- Click "Menu" -> "Admin".
- Click "Settings" -> "General".
- Expand the "Visibility and access controls" tab.
- Under "Import sources" disable the "GitHub" option.
- Click "Save changes".
Verifying the workaround
- In a browser window, login as any user.
- Click "+" on the top bar.
- Click "New project/repository".
- Click "Import project".
- Verify that "GitHub" does not appear as an import option.