Analysis
A vulnerability researcher in the HackerOne platform identified and reported the critical vulnerability in Gitlab (GitLab is a DevOps software package that combines the ability to develop, secure, and operate software in a single application) through HackerOne bug bounty program.
This vulnerability could allow an authenticated user to achieve remote code execution via the ‘Import from GitHub API’ endpoint, this vulnerability was classified as CVE-2022-2884 in Common Vulnerability and exposures vulnerability database, which has a severity of “Critical” and has a vulnerability score of 9.9 as per CVSS (Common vulnerability scoring system).
This vulnerability was identified in the GitLab Community edition/Enterprise edition affecting versions 11.3.4 to 15.1.5 then versions starting from 15.2 to 15.2.3, and versions starting from 15.3 to 15.3.1.
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High
CVSS: 9.9
Prevention
GitLab has released a patch for this vulnerability and recommended its users to update to its latest version of Gitlab, which is currently using the vulnerable versions of applications to versions 15.3.1, 15.2.3, and 15.1.5.
References
GitLab