GitLab Critical Security Release 15.7.5

[Fleury, Terry]

CI Operators:

GitLab has released v15.7.5 [1] to address two critical security vulnerabilities in Git. It is recommended that you upgrade your GitLab CE/EE installation as soon as possible as these vulnerabilities may result in remote code execution (RCE).

 

Impact:

• CVE-2022-41903 [2] - When running git-log or git-archive with padding operators, an integer overflow could result in arbitrary heap writes and possible RCE.
• CVE-2022-23521 [3] - When specially crafted .gitattributes files are committed, an integer overflow could result in arbitrary heap reads/writes and possible RCE.

 

Affected Software: 

• GitLab 15.7 < v15.7.5
• GitLab 15.6 < v15.6.6
• GitLab 15.5 < v15.5.9
• Both Community Edition (CE) and Enterprise Edition (EE)

 

Recommendation:

Update to the latest patched version of GitLab for your installation [4]. There are no recommended mitigations.

 

References:

[1] https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released/ 

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521 

[4] https://about.gitlab.com/update/ 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

 

You are receiving this message because you are subscribed to cv-an...@trustedci.org. The archive of previous alerts is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe.