QID 376864

Date Published: 2022-08-25

QID 376864: GitLab Remote Command Execution Vulnerability

A vulnerability in GitLab CE/EE affecting all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

Affected Versions:
Gitlab Versions from 11.3.4 before 15.1.5
Gitlab versions starting from 15.2 before 15.2.3
Gitlab versions starting from 15.3 before 15.3.1

QID Detection Logic:(Authenticated)
It fires gitlab-rake gitlab:env:info command to check vulnerable version of GitLab.

Successful exploitation of the vulnerability may lead to remote code execution.

  • CVSS V3 rated as Critical - 9.9 severity.
  • CVSS V2 rated as Critical - 10 severity.
  • Solution
    The vendor has released a patch for these vulnerabilities. For more information, please visit GitLab advisory

    CVEs related to QID 376864

    Software Advisories
    Advisory ID Software Component Link
    Gitlab Advisory URL Logo about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/