GitLab have published a critical security release this week to notify their users about an update that contains important security fixes. Versions 15.3.1, 15.2.3, and 15.1.5 were released for GitLab Community Edition (CE) and Enterprise Edition (EE), in order to patch a remote code execution (RCE) vulnerability. GitLab is used as a DevOps platform for software development teams to create and share code they are working on remotely. The vulnerability identified in this report affects all versions of GitLab CE/EE previous to this week’s updates. 

Tracked as CVE-2022-2884, this RCE vulnerability has been given a ‘critical’ severity rating, and a CVSS score of 9.9/10. This vulnerability is present in the GitHub import, where a remote attacker could gain initial access through an import from the GitHub API endpoint. In order to perform this attack, the attacker must be an authenticated user. In this case, they will then be able to perform remote code execution on the target, where they can run potentially malicious code of their choice on the affected system. This can give the attacker the capability to inject malware, create a backdoor to the server, or take control of the vulnerable endpoint. Attackers can then expand their control to their entire server, and steal or delete source code. 

GitLab have strongly recommended that all users install the patched updates immediately, to protect themselves from a potential exploit of this RCE vulnerability. However, applying the most recent update is not the only suggested form of mitigation for this flaw. A user can log in to GitLab installation using an administrator account and navigate to Menu > Admin > Settings > General. From there, they can expand the Visibility and access controls tab, and change the selected Import sources so that GitHub is no longer an option, then Save changes.