Service Notices

All Notices > Security Notices > GitLab Security Vulnerabilities

GitLab Security Vulnerabilities

Apr 01, 2021 GMT+08:00

I. Overview

GitLab has officially released security updates to fix multiple security vulnerabilities in GitLab CE/EE. The following two vulnerabilities are rated by GitLab as critical and high, respectively. Attackers can exploit these vulnerabilities to read any file on the server.

1. Arbitrary File Read During Project Import (severity: critical)

2. Kroki Arbitrary File Read/Write (severity: high)

If you are a GitLab user, check your system and implement timely security hardening.

Reference link:

GitLab Security Release: 13.10.1, 13.9.5, and 13.8.7

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

GitLab CE/EE after 13.9.5 and before 13.10.1

GitLab CE/EE after 13.8.7 and before 13.9.5

GitLab CE/EE before 13.8.7

Secure versions:

GitLab CE/EE 13.10.1

GitLab CE/EE 13.9.5

GitLab CE/EE 13.8.7

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

https://about.gitlab.com/update/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.