Synology-SA-17:43 GitLab

Publish Time: 2017-08-15 00:00:00 UTC+8

Last Updated: 2017-09-08 10:46:10 UTC+8

Severity: Important

Status: Resolved

Abstract

CVE-2017-12426 allows attackers to execute arbitrary commands on a vulnerable version of GitLab via a crafted SSH URL for a project import.

Severity

Impact: Important
CVSS3 Base Score: 6.3
CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected

Products
- GitLab before 9.4.4-0024
Models
- All Synology models

Description

GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.

Mitigation

None

Update Availability

To fix the security issue, please go to DSM > Package Center and update GitLab to 9.4.4-0024 or above.

Reference

https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12426