CVE-2018-18649: Gitlab Wiki API Remote Code Execution Vulnerability Alert

Recently, Gitlab officially released a security update notice that revealed a remote code execution vulnerability that could allow an attacker to gain direct access to the server.

The Gitlab Wiki API is a set of interfaces for creating, editing, listing, and deleting Gitlab project wiki pages. The API does not filter effectively when processing external input, causing an attacker to construct a specific malicious request and execute arbitrary code commands on the target server.

Affected version

  • Affects GitLab CE/EE 11.3 and later.

Solution

Upgrade Gitlab CE/EE to the latest version, official upgrade guide link.