GitLab Remote Code Execution Vulnerability Alert

GitLab is an open-source project for a warehouse management system. It uses Git as a code management tool to access public or private projects through a web interface. On March 16th, GitLab officially issued a security notice to fix GitLab code execution vulnerabilities in the Community Edition (CE) and Enterprise Edition (EE), with a CVSS score of 9.9. An unauthorized but authenticated attacker uses controllable markdown rendering options to construct malicious requests to execute arbitrary code on the server.
CVE-2018-18649

Affected version

  • Gitlab CE/EE < 13.9.4
  • Gitlab CE/EE < 13.8.6
  • Gitlab CE/EE < 13.7.9

Unaffected version

  • Gitlab CE/EE 13.9.4
  • Gitlab CE/EE 13.8.6
  • Gitlab CE/EE 13.7.9

Solution

At present, GitLab has fixed the vulnerability in the latest version, please upgrade GitLab to the unaffected version as soon as possible.