CVE-2022-2185: 
GitLab vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-2185) was discovered in GitLab affecting all versions from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. The vulnerability was discovered on June 23, 2022, and publicly disclosed on June 30, 2022. This vulnerability allowed an authenticated user with project import permissions to execute remote code on the GitLab server through maliciously crafted project imports (GitLab Release).

The vulnerability exists in the DecompressedArchiveSizeValidator component of GitLab, which is used to check the size of an archive before extraction. The validator passes a string directly to Open3.popen3 that can contain attacker-controlled data, allowing for command injection. The vulnerability received a CVSS v3.1 score of 9.9 (Critical) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (GitLab Release, Censys Report).

If successfully exploited, the vulnerability allows an attacker to execute arbitrary commands on the GitLab server with the permissions of the GitLab service account. This could lead to complete system compromise, data theft, or service disruption. The vulnerability requires authentication but could be particularly dangerous in environments where new account creation is enabled (Censys Report).

GitLab has released patches for the affected versions: users should upgrade to GitLab 14.10.5, 15.0.4, or 15.1.1. As a temporary workaround, administrators can disable the new account creation feature under the administration UI -> Settings -> General -> 'Sign-up restrictions' and unselect the 'Sign-up enabled' option. GitLab.com was immediately patched when the vulnerability was discovered (GitLab Release, Censys Report).