1. Basic situation
GitLab is an open source project for a warehouse management system. It uses Git as a code management tool to access public or private projects through a web interface.
Recently, GitLab released a security update bulletin to fix a remote command execution vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability CVE number is CVE-2021-22205. Attackers can use this vulnerability to execute arbitrary commands on the target server. It is recommended that affected users upgrade to the latest version of GitLab for protection, and do a good job in asset self-checking and prevention to avoid hacker attacks.
2. Vulnerability level
High risk
3. Vulnerability description
The vulnerability affects all versions starting from 11.9, because Gitlab did not correctly verify the image file passed to the file parser, which led to the execution of the command. Attackers can construct malicious requests to use this vulnerability to execute arbitrary instructions on the target system, and eventually cause the Gitlab server to be controlled.
4. The scope of influence
Gitlab CE / EE <13.10.3
Gitlab CE / EE <13.9.6
Gitlab CE / EE <13.8.8
5. Safety recommendations
It is recommended that users upgrade the GitLab Community Edition (CE) and Enterprise Edition (EE) versions to 13.10.3, 13.9.6 and 13.8.8 for protection.
Download link: https://about.gitlab.com/update
6. Reference link
https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
Source: https://cstis.cn/post/65a5b182-b8ff-850e-7acb-ab55ebcd7b57
إرسال تعليق