--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Multiple Vulnerabilities in GitLab' version: '1.0' number: '2022-004' date: 'January 17, 2022' --- _History:_ * _17/01/2022 --- v1.0 -- Initial publication_ # Summary On January 11th, GitLab released significant security updates to address multiple vulnerabilities, including an arbitrary file read issue rated as ‘critical’ and two high-impact vulnerabilities, among others. The update tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth. Gitlab strongly encourages users to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE), in order to safeguard their environments [1]. # Technical Details **Critical Vulnerability** - Arbitrary file read via group import feature (CVE ID has not been assigned yet). An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group due to incorrect file handling [2]. **High Severity Vulnerabilities** - **CVE-2021-39946** Stored Cross-Site Scripting (XSS) in Notes. Improper neutralisation of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis [2]. - **CVE-2022-0154** Lack of state parameter on GitHub import project OAuth. An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account [2]. **Other Vulnerabilities** Additionally to the critical and high severity vulnerabilities mentioned above, Gitlab announced several others, most notably: * CVE-2022-0152 * CVE-2022-0151 * CVE-2022-0172 * CVE-2022-0090 * CVE-2022-0125 * CVE-2022-0124 * CVE-2021-39942 * CVE-2022-0093 * CVE-2021-39927 # Affected Products * GitLab Community Edition (CE) versions prior to 14.6.2, 14.5.3, and 14.4.5 * GitLab Enterprise Edition (EE) versions prior to 14.6.2, 14.5.3, and 14.4.5 # Recommendations CERT-EU recommends updating to the latest versions of GitLab Community Edition (CE) and Enterprise Edition (EE) **as soon as possible** [3, 4]. # References [1] [2] [3] [4]