Gitlab Fixed Critical RCE bug in Latest Security Release

Gitlab released versions 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE) to patch the critical Remote Code Execution bugs. The release is a monthly security release for June which fixed multiple security vulnerabilites.

A critical issue which has been assigned CVE-2022-2185, affects all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorised user could import a maliciously crafted project which leads to remote code execution. 

Title	Severity
Remote Command Execution via Project Imports	CVE-2022-2185	critical
XSS in ZenTao integration affecting self hosted instances without strict CSP	CVE-2022-2235	high
XSS in project settings page	CVE-2022-2230	high
Unallowed users can read unprotected CI variables	CVE-2022-2229	high
IP allow-list bypass to access Container Registries	CVE-2022-1983	medium
2FA status is disclosed to unauthenticated users	CVE-2022-1963	medium
Restrict membership by email domain bypass	CVE-2022-1981	medium
IDOR in sentry issues	CVE-2022-2243	medium
Reporters can manage issues in error tracking	CVE-2022-2244	medium
CI variables provided to runners outside of a group's restricted IP range	CVE-2022-2228	medium
Regular Expression Denial of Service via malicious web server responses	CVE-2022-1954	medium
Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint	CVE-2022-2227	medium
Unauthorized read for conan repository	CVE-2022-2270	low
Open redirect vulnerability	CVE-2022-2250	low
Group labels are editable through subproject	CVE-2022-1999	low
Release titles visible for any users if group milestones are associated with any project releases	CVE-2022-2281	low

It is strongly recommended that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.