• Home
  • |
  • Blog
  • |
  • 16 New Vulnerabilities in GitLab – Update GitLab to 15.2.1, 15.1.4, and 15.0.5
We hope this post will help you know about 16 new vulnerabilities in GitLab and how to update GitLab to 15.2.1, 15.1.4, and 15.0.5. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

On July 28, GitLab announced a security advisory in that it detailed a list of 16 new vulnerabilities in GitLab. Out of the 16 vulnerabilities, 12 are identified as medium severity vulnerabilities, and the remaining 4 are low in severity. GitLab releases patches for all the 16 vulnerabilities in 15.2.1, 15.1.4, and 15.0.5 releases. The vendor writes as a recommended action to all the GitLab users, “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.” Following this, since GitLab didn’t point out any specific deployment type as affected: omnibus, source code, helm chart, etc., the flaws affect all types of deployments. If you want to fix all 16 vulnerabilities in GitLab, you should update GitLab to 15.2.1, 15.1.4, and 15.0.5 versions.

According to GitLab, these vulnerabilities could allow the attackers to perform trigger new pipelines with the wrong author, gain unauthorized access to a private project, bypass checks on a repository, leakage of Packagist and other integration access tokens, and other attacks on the vulnerable version of GitLab. This makes it important for GitLab administrators and responds to the vulnerabilities by upgrading GitLab to 15.2.1, 15.1.4, and 15.0.5 versions as soon as possible.

What Is GitLab?

GitLab is a web-based Git repository manager with a wiki and issue tracking features, using an open-source license, developed by GitLab Inc. GitLab offers git repository management, code reviews, issue tracking, activity feeds, and wikis. GitLab provides fine-grained access control, user management, five permission levels, and branch protection. With GitLab, you can have unlimited public and private repositories with community or developer editions. You can also do continuous integration and deployment with GitLab.

GitLab Community Edition (CE) is an open-source project under the MIT License. CE is for individual developers and small teams who want to self-host their own Git repositories. A notable instance of this is the Gitlab company, which offers a hosted version of GitLab CE as well as a commercial Enterprise Edition (EE). GitLab EE adds additional features on top of CE for larger deployments. Both editions are available under either a subscription or an annual contract.

List Of 16 New Vulnerabilities in GitLab:

There are 16 vulnerabilities GitLab identified in July month’s security updates. Out of the 16 vulnerabilities, 12 are identified as medium severity vulnerabilities, and the remaining 4 are low in severity. Please have the list of all the 16 new vulnerabilities in GitLab in the below table.

CVE IDShort DescriptionSeverityCVSS ScoreVector
CVE-2022-2512Revoke access to confidential notes todosmedium6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-2498Pipeline subscriptions trigger new pipelines with the wrong authormedium6.4CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE-2022-2326Ability to gain access to private project through an email invite by using other user’s email address as an unverified secondary emailmedium6.4CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE-2022-2417Import via git protocol allows to bypass checks on repositorymedium6.2CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N
CVE-2022-2501Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pagesmedium5.2CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-2497Maintainer can leak Packagist and other integration access tokens by changing integration URLmedium5.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CVE-2022-2531Unauthenticated access to victims Grafana datasources through path traversalmedium5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-2539Unauthorized users can filter issues by contact and organizationmedium5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-2456Malicious Maintainer may change the visibility of project or a groupmedium4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE-2022-2500Stored XSS in job error messagesmedium4.4CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-2303Enforced group MFA can be bypassed when using Resource Owner Password Credentials grantmedium4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2022-2095Non project members can view public project’s Deploy Keysmedium4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-2499IDOR in project with Jira integration leaks project owner’s other projects Jira issueslow3.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
CVE-2022-2307Group Bot Users and Tokens not deleted after group deletionlow3.5CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CVE-2022-2459Email invited members can join projects even after the member lock has been enabledlow2.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVE-2022-2534Datadog integration returns user emailsLow2.2CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
List Of 16 New Vulnerabilities in GitLab

GitLab Versions Affected by These Vulnerabilities:

CVE IDVersions Affected
CVE-2022-2512From 15.0 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2498From 12.8 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2326Any version up to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2417From 12.10 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2501From 12.0 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2497From 12.6 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2531From 12.5 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2539From 14.6 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2456Any version up to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2500Any version up to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2303Any version up to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2095From 13.7 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2499From 13.10 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2307From 13.0 to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2459Any version up to 15.0.4
From 15.1 to 15.1.3
15.2
CVE-2022-2534From 9.3 to 15.0.4
From 15.1 to 15.1.3
15.2
GitLab Versions Affected

How to Fix 16 New Vulnerabilities in GitLab?

GitLab responded these flaws by releasing security updates. All these vulnerabilities were fixed in versions 15.2.1, 15.1.4, and 15.0.5. We recommend you upgrade your GitLab to any of these versions to fix all these 16 new vulnerabilities in GitLab.

Time needed: 10 minutes.

How to upgrade GitLab to the latest version?

GitLab upgradation process depends on the installation methods followed in your organization. GitLab officially supports four different ways of upgradation process:

1. Linux packages (Omnibus GitLab)
2. Source installations
3. Docker installations
4. Kubernetes (Helm) installations

  1. Create backup before the upgrade

    It is highly recommended to have a full up-to-date backup before you begin.

  2. Add GitLab official repositories

    1. gitlab/gitlab-ee: The full GitLab package contains all the Community Edition features plus the Enterprise Edition ones.
    2. gitlab/gitlab-ce: A stripped-down package that contains only the Community Edition features.
    3. gitlab/unstable: Release candidates and other unstable versions.
    4. gitlab/nightly-builds: Nightly builds.
    5. gitlab/raspberry-pi2: Official Community Edition releases built for Raspberry Pi packages.

    You can run this command to update the latest repositories if you have GitLab installed on your server.

    $ sudo apt update

  3. Upgrade GitLab to the latest version using the official repositories

    To upgrade to the latest GitLab version:

    # Ubuntu/Debian
    $ sudo apt upgrade gitlab-ee

    # RHEL/CentOS 6 and 7
    $ sudo yum upgrade gitlab-ee

    # RHEL/CentOS 8
    $ sudo dnf upgrade gitlab-ee

    # SUSE
    $ sudo zypper upgrade gitlab-ee

    Note: For the GitLab Community Edition, replace gitlab-ee with gitlab-ce.

  4. Upgrade GitLab to a specific version

    Use these commands with a version number to upgrade GitLab to a specific version.

    # Ubuntu/Debian
    $ sudo apt install gitlab-ee=<version>

    # RHEL/CentOS 6 and 7
    $ sudo yum install gitlab-ee-<version>

    # RHEL/CentOS 8
    $ sudo dnf install gitlab-ee-<version>

    # SUSE
    $ sudo zypper install gitlab-ee=<version>

  5. Upgrade GitLab using a manually-downloaded package

    After the package is downloaded, install it by using one of the following commands and replacing <package_name> with the package name you downloaded:

    # Debian/Ubuntu
    $ dpkg -i <package_name>

    # CentOS/RHEL
    $ rpm -Uvh <package_name>

    # SUSE
    $ zypper install <package_name>

We hope this post will help you know about 16 new vulnerabilities in GitLab and how to update GitLab to 15.2.1, 15.1.4, and 15.0.5. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.