All versions up to and including 15.2.5 (released on October 18th, 2017) are affected by a security issue where an attacker can insert arbitrary code into an arbitrary branch, create a merge request or pull request, or commit an arbitrary change to any other branch. There is no way to fix or mitigate this issue. This issue has been addressed in version 15.2.5 (released on January 18th, 2018) by disabling merge requests and pull requests on the public facing API. The fix was done in a way that does not require a rolling update.
This issue has been addressed in version 15.3 (released on February 14th, 2018) by disabling merge requests and pull requests on the public facing API. All other access controls remain in place. The fix was done in a way that does not require a rolling update. This issue has been addressed in version 15.4 (released on May 15th, 2018) by disabling merge requests and pull requests on the public facing API. All other access controls remain in place.
Summary of vulnerability
CVE-2022-3030, also known as CVE-2018-1561, is a vulnerability in GitLab Enterprise Edition that affects all versions up to and including 15.2.5 (released on October 18th, 2017) and 15.3 (released on February 14th, 2018), which was addressed by disabling merge requests and pull requests on the public facing API in version 15.4 (released on May 15th, 2018).
Overview of the Issue
All versions up to and including 15.2.5 (released on October 18th, 2017) are affected by a security issue where an attacker can insert arbitrary code into an arbitrary branch, create a merge request or pull request, or commit an arbitrary change to any other branch. There is no way to fix or mitigate this issue. This issue has been addressed in version 15.2.5 (released on January 18th, 2018) by disabling merge requests and pull requests on the public facing API. The fix was done in a way that does not require a rolling update. This issue has been addressed in version 15.3 (released on February 14th, 2018) by disabling merge requests and pull requests on the public facing API. All other access controls remain in place. The fix was done in a way that does not require a rolling update. This issue has been addressed in version 15.4 (released on May 15th, 2018) by disabling merge requests and pull requests on the public facing API.
Summary
CVE-2022-3030 is a security vulnerability that affects all versions of Laravel up to and including version 15.2.5 (released on October 18th, 2017), which was released on the same day as a new feature in Laravel 4.5.
The vulnerability allows an attacker to insert arbitrary code into any branch, create a merge request or pull request, or commit any change to any other branch. There is no way to fix or mitigate this issue and it has been addressed in version 15.2.5 (released on January 18th, 2018) by disabling merge requests and pull requests on the public facing API and in version 15.3 (released on February 14th, 2018) by disabling merge requests and pull requests on the public facing API while other controls remain in place.
Timeline
Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 16:54:00 UTC