{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-048.pdf"
    },
    "title": "Critical Remote Code Execution Vulnerability in GitLab",
    "serial_number": "2022-048",
    "publish_date": "04-07-2022 15:30:00",
    "description": "On June 30, 2022, GitLab released new software versions that fix several vulnerabilities, one of which is a critical remote command execution vulnerability identified \"CVE-2022-2185\", with a CVSS score of 9.9 out of 10. It is highly recommended to upgrade GitLab servers to the latest available version.",
    "url_title": "2022-048",
    "content_markdown": "---\ntitle: 'Critical Remote Code Execution Vulnerability in GitLab'\nversion: '1.0'\nnumber: '2022-048'\noriginal_date: 'June 30, 2022'\ndate: 'July 4, 2022'\n---\n\n_History:_\n\n* _04/07/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn June 30, 2022, GitLab released new software versions that fix several vulnerabilities [1], one of which is a critical remote command execution vulnerability identified `CVE-2022-2185`, with a CVSS score of 9.9 out of 10 [2].\n\nIt is highly recommended to upgrade GitLab servers to the latest available version.\n\n# Technical Details\n\nThe vulnerability exists in the `Project Imports` feature where an **authorised** user could import a maliciously crafted project leading to remote code execution.\n\n# Affected Products\n\nThe following version of GitLab Community Edition (CE) and Enterprise Edition (EE) are affected:\n\n- 14.0 prior to 14.10.5\n- 15.0 prior to 15.0.4\n- 15.1 prior to 15.1.1\n\n## Recommendations\n\nCERT-EU strongly recommends upgrading all GitLab servers to the latest version as soon as possible.\n\n# References\n\n[1] <https://securityonline.info/cve-2022-2185-gitlab-remote-code-execution-vulnerability/>\n\n[2] <https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>04/07/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On June 30, 2022, GitLab released new software versions that fix several vulnerabilities [1], one of which is a critical remote command execution vulnerability identified <code>CVE-2022-2185</code>, with a CVSS score of 9.9 out of 10 [2].</p><p>It is highly recommended to upgrade GitLab servers to the latest available version.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability exists in the <code>Project Imports</code> feature where an <strong>authorised</strong> user could import a maliciously crafted project leading to remote code execution.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following version of GitLab Community Edition (CE) and Enterprise Edition (EE) are affected:</p><ul><li>14.0 prior to 14.10.5</li><li>15.0 prior to 15.0.4</li><li>15.1 prior to 15.1.1</li></ul><h3 id=\"recommendations\">Recommendations</h3><p>CERT-EU strongly recommends upgrading all GitLab servers to the latest version as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://securityonline.info/cve-2022-2185-gitlab-remote-code-execution-vulnerability/\">https://securityonline.info/cve-2022-2185-gitlab-remote-code-execution-vulnerability/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/\">https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}