GitLab Remote Code Execution Vulnerability Threat Alert

GitLab Remote Code Execution Vulnerability Threat Alert

March 22, 2021 | Jie Ji

Vulnerability Description

On March 19, 2021, NSFOCUS detected that GitLab released patches for a code execution vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), which was assigned a CVSS base score of 9.9. Unauthorized authenticated attackers could craft malicious requests via controllable markdown rendering options, thereby executing arbitrary code on the server.

GitLab is an open-source project for warehouse management systems. Using Git as a code management tool, it can access public or private projects through a web-based manager.

Reference link: https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/

Scope of Impact

Affected Versions

  • Gitlab CE/EE < 13.9.4
  • Gitlab CE/EE < 13.8.6
  • Gitlab CE/EE < 13.7.9

Note: Gitlab CE/EE 13.2 and later are affected by the vulnerability.

Unaffected Versions

  • Gitlab CE/EE 13.9.4
  • Gitlab CE/EE 13.8.6
  • Gitlab CE/EE 13.7.9

Check for the Vulnerability

Version Check

Users can determine whether their application is vulnerable by checking the current version.  To check the current GitLab version, run the following command:

cat /opt/gitlab/embedded/service/gitlab-rails/VERSION

If it is one of the affected versions, the application is vulnerable.

Mitigation

Official Fix

Currently, this vulnerability has been fixed in the latest version. If you are affected by this vulnerability, please upgrade your installation as soon as possible via https://about.gitlab.com/update/.

Workaround

If related users cannot upgrade for the time being, they can use a whitelist to restrict access to web ports.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.