I. Overview

GitLab has officially disclosed a major remote code execution vulnerability in all GitLab CE/EE versions since version 13.2. Attackers who have not been authenticated can exploit this vulnerability to execute arbitrary code on servers.

If you are a GitLab user, check your system and implement timely security hardening.

For more information about this vulnerability, visit the following website:

Remote code execution via unsafe user-controlled markdown rendering options

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

GitLab CE/EE after 13.8.6 and before 13.9.4

Gitlab CE/EE after 13.7.9 and before 13.8.6

Gitlab CE/EE before 13.7.9

Secure versions:

GitLab CE/EE 13.9.4

GitLab CE/EE 13.8.6

GitLab CE/EE 13.7.9

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

https://about.gitlab.com/update/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.