CVE-2022-2531 An issue was found in GitLab EE older than 15.1.4 and 15.2.1, which could allow an attacker to change repository permissions.

CVE-2022-2531 An issue was found in GitLab EE older than 15.1.4 and 15.2.1, which could allow an attacker to change repository permissions.

This issue has been fixed in 15.2.1, released on July 20, 2018. For EE version 12.5, please update to version 15.1.4 or later. For EE version 15.2, please update to version 15.2.1 or later. For EE version 15.3, please update to version 15.3.0 or later. The last update date of your installation can be viewed in the “About” tab of the settings page.

GitLab will no longer display the warning message when first starting up after the upgrade. However, it is recommended to update the application to prevent potential data leak issues.
The vulnerability was found when testing the security of the GitLab Grafana Add-on. This is an official Grafana add-on that is used to visualize Git data.
Why was authentication on the Grafana API not performed correctly? The issue has been found when a user has access to a group of users that are not their own (e.g. a Project Lead has access to developers that they do not work with).

What are the steps to update the installation? 1. Download the latest version of GitLab from our website. 2. After the installation has finished, go to “Settings” and “Application” 3. In the “Application” menu, click on “Upgrade” 4. In the “Upgrade options” menu

Update GitLab Application

1. Download the latest version of GitLab from our website. 2. After the installation has finished, go to “Settings” and “Application” 3. In the “Application” menu, click on “Upgrade” 4. In the “Upgrade options” menu, select “Check for Updates” 5. Follow the prompts to update the application

Install the latest version of GitLab from the website

The vulnerability was found when testing the security of the GitLab Grafana Add-on. This is an official Grafana add-on that is used to visualize Git data.
Why was authentication on the Grafana API not performed correctly? The issue has been found when a user has access to a group of users that are not their own (e.g. a Project Lead has access to developers that they do not work with).
What are the steps to update the installation? 1. Download the latest version of GitLab from our website. 2. After the installation has finished, go to “Settings” and “Application” 3. In the “Application” menu, click on “Upgrade” 4. In the “Upgrade options” menu

Upgrade considerations

- If you are upgrading to EE version 15.3.0 or later from EE version 15.2.1, it is recommended to perform a backup of your data before updating the installation and import this backup data afterwards to prevent any potential data leak issues.
- If you are upgrading from EE version 12.5 and the last update date is earlier than July 20, 2018, it is recommended to update your installation first before performing the upgrade.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe