Some of the security vulnerabilities that have been fixed with the released updates and rated as critical, high, and medium are as follows;
- Vulnerability tracked as CVE-2022-2185 (critical) exists due to incorrect input validation in Project Imports. As a result, a remote privileged user can import a maliciously crafted project, causing remote code execution on the vulnerable system.
- The XSS vulnerability tracked as CVE-2022-2235 (high) is due to insufficient sanitization of user-supplied data in ZenTao integration. As a result, a remote threat actor can direct targets to open a specially crafted link and run arbitrary HTML and script code in the user’s browser in the context of the vulnerable website.
- The security vulnerability tracked as CVE-2022-2229 (high) is caused by incorrect authorization. A remote threat actor can extract the value of an unprotected variable whose name it knows in public or private projects of which it is a member.
These vulnerabilities affected all GitLab CE/EE versions between 13.7.0 and 15.1.0 (inclusive) and were fixed in the released versions 15.1.1, 15.0.4, and 14.10.5. Users using vulnerable GitLab versions are advised to apply the released updates immediately.[/vc_column_text][vc_empty_space][/vc_column][/vc_row]