Main Vulnerability Database Vulnerabilities #VU38465

Input validation error in Gitlab Community Edition - CVE-2017-12426

Published: August 14, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38465

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-12426

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.

How to mitigate CVE-2017-12426

Install update from vendor's website.

Sources

https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html

Input validation error in Gitlab Community Edition - CVE-2017-12426

Detailed vulnerability description

How to mitigate CVE-2017-12426

Sources

Please verify you're human