CVE-2022-2826 An issue has been discovered in GitLab starting from 10.0 before 12.9.8, 12.10 before 12.10.7, 13.0 before 13.0.1.

This issue has been acknowledged by the GitLab team and fixed in the upcoming version.

CVE-2017-9467: remote code execution due to insecure handling of unencrypted passwords in LDAP

A critical issue has been discovered in GitLab affecting all versions before 13.0.1.
As a result of this issue, a specially crafted LDAP query can be used to execute code on the system of an unsuspecting GitLab LDAP user. This can lead to remote code execution.
This issue has been acknowledged by the GitLab team and is scheduled to be fixed in the upcoming version.

CVE-2018-7521: remote code execution via insecure LDAP query.

A critical issue has been discovered in GitLab affecting all versions before 13.0.1. As a result of this issue, a specially crafted LDAP query can be used to execute code on the system of an unsuspecting GitLab LDAP user. This can lead to remote code execution. This issue has been acknowledged by the GitLab team and is scheduled to be fixed in the upcoming version.

CVE-2018-7522: remote code execution via insecure LDAP query.

A critical issue has been discovered in GitLab affecting all versions before 13.0.1. As a result of this issue, a specially crafted LDAP query can be used to execute code on the system of an unsuspecting GitLab LDAP user. This can lead to remote code execution.

What is GitLab?

GitLab is a free software application that provides the foundation for a successful open source software project. GitLab has been downloaded over 20 million times and is widely used by companies, open source projects, developers, and individual users for managing code and collaborating on projects.

GitLab is an Open Source Software (OSS) project with over 80 contributors working on it every day to improve its functionality. It also has a large and active community of users who contribute new ideas, use cases, and translations.
The project is funded by up to 87% of its revenue coming from subscriptions; this gives it the flexibility to be a leading platform without any additional funding requirements.

Base path disclosure in gitosis-daemon

A vulnerability has been discovered in GitLab affecting all versions before 13.0.3.
As a result of this issue, attackers can brute force the ssh port of a gitosis-daemon instance on which they have access to the repository URL and retrieve the base path on that server. This can lead to exposure of sensitive data and unauthorized code execution.
This issue has been acknowledged by the GitLab team and is scheduled to be fixed in the upcoming version.

Timeline

Published on: 10/28/2022 22:15:00 UTC
Last modified on: 11/01/2022 20:10:00 UTC

References

• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2826.json
• https://hackerone.com/reports/1646633
• https://gitlab.com/gitlab-org/gitlab/-/issues/370790
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2826