We deployed GitLab 14.1.0 (Chart version: 5.1.0) on our OpenShift Container Platform(4.8.36) cluster and used the Prisma tool to scan the GitLab namespace, discovered numerous vulnerabilities in the GitLab images.
Could you please recommend which gitlab version will fix all of the above CVEs? If we use the latest gitlab version, then can we assume there will not be any vulnerability in the gitlab images?
I am new in gitlab community. Please provide any document/link which is related to security vulnerability fixing?
In general GitLab (the company) only maintains the three latest (minor) versions. The latest version is 15.7, and the two other maintained versions are 15.6 and 15.5. Security fixes are sometimes backported a bit further, but 14.1 is from July 2021, that’s so long ago that I would guess even security fixes don’t get that far back - and that matches what you’ve found.
Without checking all those CVE’s I assume they are all fixed in the latest versions of GitLab (the product), but coming from 14.1 I don’t think there’s any good reason not to go for the newest (i.e. 15.7.0).
As vulnerabilities generally have to be found before they can be fixed, you can’t be sure there won’t be vulnerabilities in GitLab (or anything else), but GitLab generally handles security discoveries like they should, so if you keep GitLab upgraded, you’ll be as safe as if you ran anything else (that has a reasonable policy, and that yo keep up-to-date).