CVE-2022-2865 An issue with cross-site scripting has been found in GitLab CE/EE prior to 15.3.2, 15.2 to 15.2.4, and 15.1.6.

The issue was discovered by Kyle Rankin of HackerOne and reported to the GitLab team. The team patched the issue within a few days after receiving the report and released a patch. The communication between the team and HackerOne was very smooth. As soon as the issue was discovered, the issue was assigned to a developer and a patch was submitted within a few days. GitLab continues to work on improving the quality of its releases and keeping the communication channels open with the community is a great way to do that.

Verified Vendor

A verified vendor will come in for one time services and leave. This can have a negative effect on the quality of your application, as it is not possible to check the code from previous releases. For this reason, you should use a trusted 3rd party service with a test environment before releasing any features or updates.

Improve Communication Between DevOps and Development Teams

In order to improve the quality of the releases and keep the communication channels open with the community, GitLab has taken steps to improve how it communicates with their development teams. With this update, they have introduced a new system that allows developers to submit patches easily without needing to know all of the details about GitLab. The team also improved how they handle security vulnerabilities. They now require that any report made about an issue be accompanied by a patch and will not consider an issue as closed until one is submitted. These two changes are great for improving communication between DevOps and Development Teams.

GitLab Continuous integration and delivery

Continuous integration and delivery is a process that allows developers to continuously fix bugs, improve features, and update the codebase without affecting the live product. This process also allows for better communication between the development team and the business stakeholders. As a result, this process leads to happier customers who are less likely to leave due to an error or bug in the application. It's also easier for developers to be more efficient with their time and get more done in less time. And lastly, continuous integration can increase productivity and lead to higher quality code.
The GitLab team takes pride in its CI/CD solution which it uses internally as well as externally with other product companies like Trello and Shopify.

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 17:31:00 UTC

References

• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2865.json
• https://hackerone.com/reports/1665658
• https://gitlab.com/gitlab-org/gitlab/-/issues/370873
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2865