{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-062.pdf"
    },
    "title": "Remote Command Execution Vulnerability in Gitlab",
    "serial_number": "2022-062",
    "publish_date": "25-08-2022 09:58:00",
    "description": "On the 22nd of August 2022, GitLab released a security advisory regarding a Remote Command Execution affecting its products. This vulnerability exists in the \"import via Github\" functionality. Exploiting this vulnerability, allows an authenticated user to achieve remote code execution on the affected server.",
    "url_title": "2022-062",
    "content_markdown": "---\ntitle: 'Remote Command Execution Vulnerability in Gitlab'\nversion: '1.0'\nnumber: '2022-062'\noriginal_date: 'August 22, 2022'\ndate: 'August 25, 2022'\n---\n\n_History:_\n\n* _25/08/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn the 22nd of August 2022, GitLab released a security advisory regarding a Remote Command Execution affecting its products. This vulnerability exists in the `import via Github` functionality [1]. Exploiting this vulnerability, allows an authenticated user to achieve remote code execution on the affected server.\n\n# Details\n\nThe vulnerability is identified as **`CVE-2022-2884`** and has a severity score of 9.9 out of 10. [2] The issue is now mitigated in the latest release versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).\n\n\n# Affected Products\n\n*  GitLab CE/EE - from 11.3.4 before 15.1.5\n*  GitLab CE/EE - from 15.2 before 15.2.3\n*  GitLab CE/EE - from 15.3 before 15.3.1\n\n# Workarounds\n\nThere is an available workaround to mitigate this vulnerability which consists in disabling GitHub import. Detailed information is available on the vendor's page. [1]\n\n# Recommendations\n\nCERT-EU strongly recommends applying the latest updates as soon as possible. \n\n# References\n\n[1] <https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/>\n\n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2884>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>25/08/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 22nd of August 2022, GitLab released a security advisory regarding a Remote Command Execution affecting its products. This vulnerability exists in the <code>import via Github</code> functionality [1]. Exploiting this vulnerability, allows an authenticated user to achieve remote code execution on the affected server.</p><h2 id=\"details\">Details</h2><p>The vulnerability is identified as <strong><code>CVE-2022-2884</code></strong> and has a severity score of 9.9 out of 10. [2] The issue is now mitigated in the latest release versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>GitLab CE/EE - from 11.3.4 before 15.1.5</li><li>GitLab CE/EE - from 15.2 before 15.2.3</li><li>GitLab CE/EE - from 15.3 before 15.3.1</li></ul><h2 id=\"workarounds\">Workarounds</h2><p>There is an available workaround to mitigate this vulnerability which consists in disabling GitHub import. Detailed information is available on the vendor's page. [1]</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends applying the latest updates as soon as possible. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/\">https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2884\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2884</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}