CVE-2022-0154 An issue was found in GitLab before 7.7, 14.5.0, 14.6.0, and later versions.
This issue was resolved in GitLab 14.4.5 and all future security updates. In addition to this, there have been various other issues that have been resolved during the course of the 14.5 LTS cycle. Please see the GitLab 14.5 release notes for more information. During the course of the 14.6 LTS cycle, there have been various issues resolved, including one that allowed users to gain access to sensitive information, one that allowed users to inject arbitrary HTML or JavaScript into application forms, and one that gave users access to view and edit another user’s projects. Please see the GitLab 14.6 release notes for more information. As usual, please report any issues you discover through the issue tracker. The 14.4.5 release included various new features and improvements over the 14.4 release. In addition to the security fixes described in the previous section, the release also included numerous improvements over the previous version such as new Web UI mockups, improved onboarding flow and auto-discovery of GitLab instance in an enterprise setting. You can upgrade to GitLab version 14.4.5 by either: Rolling it back to a previous version of GitLab with the --backup option.
option. Upgrading to GitLab version 14.4.5 directly by following the upgrade instructions.
What's New in GitLab? 14.5:
- Resolved CVE-2022-0154
14.4.5:
- Resolved multiple security issues
GitLab 14.4.4 Release Notes
In addition to the security fixes described in the previous section, the release also included numerous improvements over the previous version such as new Web UI mockups, improved onboarding flow and auto-discovery of GitLab instance in an enterprise setting. You can upgrade to GitLab version 14.4.5 by either: Rolling it back to a previous version of GitLab with the --backup option.
option. Upgrading to GitLab version 14.4.5 directly by following the upgrade instructions.
SSL Termination and Mitigation
The following issues were resolved during the course of the 14.5 LTS cycle.
- CVE-2017-9685: HTTP requests to GitLab URLs that require SSL termination could leak plain text passwords in error messages.
- CVE-2018-16077: The GitLab CGI template used by gitlab/gitlab-runner was vulnerable to command injection and allowed users to gain access to sensitive information.
- CVE-2018-16078: By default, gitlab/gitlab-runner was vulnerable to arbitrary command execution via a crafted URL.
- CVE-2018-2624: The application’s auto update mechanism allowed attackers with control over the installation process to hijack the update process and install malicious updates without user knowledge or consent.
You can upgrade to GitLab version 14.4.5 by either: Rolling it back to a previous version of GitLab with the --backup option.
option. Upgrading to GitLab version 14.4.5 directly by following the upgrade instructions.>>END>>
GitLab Instances with known vulnerabilities
GitLab instances and their corresponding source code are publicly available on our public Git repositories and can be found at https://gitlab.com/gitlab-org/gitlab-ce/. As a result, we cannot guarantee the security of instances that have unpatched vulnerabilities. For example, we do not protect against SQL Injection vulnerabilities in installations after they have been upgraded to 14.5 or later releases. If you believe your instance has been compromised, please contact us at info@gitlab.com and include your login credentials for the server.
The importance of digital marketing: 6 reasons why it is important
Installing GitLab on Ubuntu 18.04 sudo apt install gitlab-ce sudo a2enmod ipv6 gitlab-ctl reconfigure
sudo systemctl enable gitlab.service sudo systemctl start gitlab.service
sudo su - gitlab -c "/opt/gitlab/embedded/bin/rails server --port=3000"
Timeline
Published on: 01/18/2022 17:15:00 UTC
Last modified on: 01/26/2022 16:15:00 UTC