GitLab Critical Security Release 15.8.2 (CVE-2023-23946, CVE-2023-22490)

Skip to first unread message

Fleury, Terry

Feb 15, 2023, 2:13:29 PM2/15/23

CI Operators:

GitLab has released v15.8.2 [1] to address two critical security vulnerabilities in Git. It is recommended that you upgrade your GitLab CE/EE installation as soon as possible. Note that these Git vulnerabilities are different from the ones reported previously [2].



  • CVE-2023-23946 [3] - Specially crafted input to ”git apply” can overwrite a path outside the working tree. This can be used to execute arbitrary commands in GitLab's Gitaly environment.
  • CVE-2023-22490 [4] - Git can be tricked into using its local clone optimization even when using a non-local transport. This could allow for data exfiltration.


Affected Software

  • GitLab 15.8 < v15.8.2
  • GitLab 15.7 < v15.7.7
  • GitLab 15.6 < v15.6.8
  • Both Community Edition (CE) and Enterprise Edition (EE)



Update to the latest patched version of GitLab for your installation [5]. There are no recommended mitigations.









How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us ( if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


You are receiving this message because you are subscribed to The archive of previous alerts is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe.


Reply all
Reply to author
0 new messages