GitLab Critical Security Release 15.8.2 (CVE-2023-23946, CVE-2023-22490)

7 views
Skip to first unread message

Fleury, Terry

unread,
Feb 15, 2023, 2:13:29 PM2/15/23
to cv-an...@trustedci.org

CI Operators:

GitLab has released v15.8.2 [1] to address two critical security vulnerabilities in Git. It is recommended that you upgrade your GitLab CE/EE installation as soon as possible. Note that these Git vulnerabilities are different from the ones reported previously [2].

 

Impact:

  • CVE-2023-23946 [3] - Specially crafted input to ”git apply” can overwrite a path outside the working tree. This can be used to execute arbitrary commands in GitLab's Gitaly environment.
  • CVE-2023-22490 [4] - Git can be tricked into using its local clone optimization even when using a non-local transport. This could allow for data exfiltration.

 

Affected Software

  • GitLab 15.8 < v15.8.2
  • GitLab 15.7 < v15.7.7
  • GitLab 15.6 < v15.6.8
  • Both Community Edition (CE) and Enterprise Edition (EE)

 

Recommendation:

Update to the latest patched version of GitLab for your installation [5]. There are no recommended mitigations.

 

References:

[1] https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/ 

[2] https://groups.google.com/u/2/a/trustedci.org/g/cv-announce/c/v-tTF25QVYE 

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946

[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490 

[5] https://about.gitlab.com/update/ 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

 

You are receiving this message because you are subscribed to cv-an...@trustedci.org. The archive of previous alerts is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe.

 

Reply all
Reply to author
Forward
0 new messages