GitLab 14.1.0 version: Approach to fixing security vulnerabilities

Hi team,

We deployed GitLab 14.1.0 (Chart version: 5.1.0) on our OpenShift Container Platform(4.8.36) cluster and used the Prisma tool to scan the GitLab namespace, discovered numerous vulnerabilities in the GitLab images.

Some critical CVEs are as follows:

CVE-2022-40674 CVE-2022-3970 CVE-2022-37434 CVE-2022-36227 CVE-2022-33127 CVE-2022-32511 CVE-2022-31813 CVE-2022-29155 CVE-2022-28615 CVE-2022-25648 CVE-2022-25315 CVE-2022-25236

Could you please recommend which gitlab version will fix all of the above CVEs? If we use the latest gitlab version, then can we assume there will not be any vulnerability in the gitlab images?

I am new in gitlab community. Please provide any document/link which is related to security vulnerability fixing?

Any assistance is greatly appreciated.

In general GitLab (the company) only maintains the three latest (minor) versions. The latest version is 15.7, and the two other maintained versions are 15.6 and 15.5. Security fixes are sometimes backported a bit further, but 14.1 is from July 2021, that’s so long ago that I would guess even security fixes don’t get that far back - and that matches what you’ve found.

Without checking all those CVE’s I assume they are all fixed in the latest versions of GitLab (the product), but coming from 14.1 I don’t think there’s any good reason not to go for the newest (i.e. 15.7.0).

As vulnerabilities generally have to be found before they can be fixed, you can’t be sure there won’t be vulnerabilities in GitLab (or anything else), but GitLab generally handles security discoveries like they should, so if you keep GitLab upgraded, you’ll be as safe as if you ran anything else (that has a reasonable policy, and that yo keep up-to-date).


Thank you for the confirmation.