GitLab provides a web-based code review tool allowing stakeholders to review code written by multiple team members. If an attacker managed to sneak code review data into a project, he could potentially execute malicious code and infect the project team members’ computers.

CVE-2018-9227 has been assigned to this vulnerability. This issue was fixed in version 14.5.5. As always, we advise all users to upgrade to the latest version as soon as possible.

Another issue was discovered in GitLab, affecting all versions starting with 14.5. One of the parameters to the /settings/email_notification endpoint is not validated, allowing an attacker to inject malicious code into the system and potentially compromise the system.
In order to exploit this issue, an attacker must be on the same network as the targeted system.

CVE-2018-9222 has been assigned to this issue. This issue was fixed in version 14.5.5. As always, we advise all users to upgrade to the latest version as soon as possible.

A critical remote code execution vulnerability was discovered in GitLab. An attacker could potentially exploit this issue through a maliciously crafted email.
In order to exploit this issue, an attacker must be on the same network as the targeted system.

CVE-2018-9221 has been assigned to this issue. This issue was fixed in version 14.5.5. As always, we advise all users to upgrade to

GitLab CI/CD

- SSH Injection
A critical remote code execution vulnerability was discovered in GitLab. An attacker could potentially exploit this issue through a maliciously crafted email.
In order to exploit this issue, an attacker must be on the same network as the targeted system.

CVE-2018-9222 has been assigned to this issue. This issue was fixed in version 14.5.5. As always, we advise all users to upgrade to the latest version as soon as possible.

Timeline

Published on: 01/18/2022 17:15:00 UTC
Last modified on: 01/25/2022 14:25:00 UTC

References