In its most recent security release, GitLab announced the launching of GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) versions 15.01, 14.9.4, and 14.9.5. These updates contain important security fixes, so users of previous deployments are encouraged to address them as soon as possible to prevent malicious activity.
According to the report, GitLab fixed a total of eight vulnerabilities of all severity ranges, which exploitation would have allowed threat actors to deploy multiple hacking scenarios, including cross-site scripting (XSS), privilege escalation attacks, and even the installation of backdoors in GitLab projects. Detected and addressed flaws are described below, along with their tracking key and score assigned according to the Common Vulnerability Scoring System (CVSS).
Account takeover via SCIM email change: When setting up group SAML SSO, the SCIM feature would allow any owner of a Premium group to invite arbitrary users through their username and email address to subsequently change users’ email addresses through SCIM to a hacker-controlled address and take control of the affected account due to the absence of multi-factor authentication measures. The flaw received a CVSS score of 9.9/10 and was tracked as CVE-2022-1680.
XSS stored in Jira: A store cross-site scripting (XSS) error in Jira would allow threat actors to execute arbitrary JavaScript code in GitLab through specially crafted Jira issues. The flaw was tracked as CVE-2022-1940 and received a CVSS score of 7.7/10.
XSS attack in quick actions: The absence of input validation in quick actions would allow threat actors to exploit an XSS bug by injecting HTML into contact details. The flaw received a CVSS score of 8.7/10 and received the tracking key CVE-2022-1948.
IP allowlist bypassing when using Activation Tokens: Incorrect authorization in GitLab EE would allow threat actors to misuse an activation token from any location, even evading IP address restrictions. The flaw received a CVSS score of 6.5/10 and was tracked as CVE-2022-1935.
IP allowlist bypassing when using Project Deployment Tokens: Improper authorization in GitLab would have allowed malicious hackers using project deployment tokens to access from any location, even with IP address restrictions enabled. The flaw was tracked as CVE-2022-1936 and received a CVSS score of 6.5/10.
Incorrect authorization in Interactive Web Terminal: When the Interactive Web Terminal feature is configured, incorrect authorization would allow users with the Developer role to open terminals in running jobs of other developers, potentially exposing these jobs to hacking scenarios. The vulnerability was tracked as CVE-2022-1944 and received a CVSS score of 5.4/10.
Subgroup members can list members of the parent group: An issue in all versions of GitLab CC/EE would allow a member of the subgroup to access the list of members of their parent group. The vulnerability received a CVSS score of 4.3/10 and was tracked as CVE-2022-1821.
Group member lock bypass: Malicious group maintainers could add new members to a project within their group via REST APIs, even after group owners enable settings to prevent members from being added to projects within the group. The flaw was tracked as CVE-2022-1783 and received a CVSS score of 2.7/10.
GitLab adds that these fixes are part of its effort to maintain the highest security standards and improve the user experience. For more information, users can visit the FAQ section of GitLab, where more detailed descriptions of every single flaw and its corresponding security patches are found.
The code hosting and development service also offers its users to receive security notifications directly in their inbox through their contact page. To receive notifications of new update releases via RSS, GitLab users can subscribe to the GitLab Security Release RSS feed.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
