CVE-2017-12426 allows attackers to execute arbitrary commands on a vulnerable version of GitLab via a crafted SSH URL for a project import.
- Impact: Important
- CVSS3 Base Score: 6.3
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- GitLab before 9.4.4-0024
- All Synology models
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
To fix the security issue, please go to DSM > Package Center and update GitLab to 9.4.4-0024 or above.