Main Vulnerability Database Vulnerabilities #VU31270

Path traversal in Gitlab Community Edition - CVE-2018-14364

Published: July 18, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31270

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-14364

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component.

How to mitigate CVE-2018-14364

Install update from vendor's website.

Sources

https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/
https://gitlab.com/gitlab-org/gitlab-ce/issues/49133
https://hackerone.com/reports/378148

Path traversal in Gitlab Community Edition - CVE-2018-14364

Detailed vulnerability description

How to mitigate CVE-2018-14364

Sources

Please verify you're human