This issue was fixed in version 14.7.4 and later. If you are on a version before these releases, it is possible that you are affected. You should upgrade GitLab as soon as possible. Due to a serious security flaw, all GitLab versions before 14.7.4 are vulnerable. Any user with an account on a vulnerable version can have their passwords decrypted by attackers. All GitLab versions before 14.7.4 are vulnerable. Any user with an account on a vulnerable version can have their passwords decrypted by attackers. The issue was found and reported by Dawid Golunski of Cyberjaya, Malaysia.                                      The issue was found and reported by Dawid Golunski of Cyberjaya, Malaysia.
There is no fix for this issue.                                 If you are on a vulnerable version, you should upgrade to a fixed version as soon as possible.

There are two primary mitigation strategies for this issue:

This issue does not affect versions of GitLab older than 14.6.5. If you are on an older version, you are not affected by this issue.

1

. Using the SSL Keystore

If you are using GitLab with an https:// URL and have a valid SSL certificate, you can use that certificate to encrypt your private key. This prevents anyone from decrypting your private key by using a decryption toolkit such as git-crypt.        If you are using GitLab with an https:// URL and have a valid SSL certificate, you can use that certificate to encrypt your private key. This prevents anyone from decrypting your private key by using a decryption toolkit such as git-crypt.

GitLab and Git are not vulnerable through each other

GitLab and Git are not vulnerable through each other.

What is GitLab?

GitLab is a self-hosted Git repository that offers a web interface and unlimited private projects. It also provides access to code review tools and an issue tracking system.

GitLab's primary capabilities include:

Managing Git repositories, including project hosting and sharing, code reviews, branching and merging, pushing and pulling changes, tagging, setting up CI/CD pipelines, etc.
Setting up project planning & workflow with features like Kanban boards
Creating & managing issues with features like workflows and custom fields
Managing user permissions with features like groups, roles & teams         ....................

GitLab Enterprise Edition (EE)

If you are using GitLab EE, there is no vulnerability, and we recommend that you upgrade your instance to 14.7.4 or later. If you are not using EE and want to mitigate the risk of this issue, you can restrict access for non-admin users on GitLab Enterprise Edition (EE) versions older than 14.6.5 by ensuring that all non-admin users run the following command:

1 sudo gitlab-ctl reconfigure --add-group www-data gitlab-rails

Timeline

Published on: 03/28/2022 19:15:00 UTC
Last modified on: 04/07/2022 15:50:00 UTC

References