Question about CVSS 9.9 bug

unique · August 23, 2022, 10:37am

Regarding CVE-2022-2884

Ref: GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5 | GitLab

I believe I read somewhere while gathering info on this that it is possible to stop the Github API service in Gitlab in order to temporarily mitigate the risk of this bug.

Can anyone confirm please?

iwalker · August 23, 2022, 1:05pm

The mitigation in the link mentions about disabling Github import. That’s how you do it.

Login using an administrator account to your GitLab installation and perform the following:
Click "Menu" -> "Admin".
Click "Settings" -> "General".
Expand the "Visibility and access controls" tab.
Under "Import sources" disable the "GitHub" option.
Click "Save changes".

dnsmichi · August 23, 2022, 1:20pm

Thanks! For transparency, the details were added to the blog post in this MR Add workaround to disable GitHub import for 15.3.1 release (!110094) · Merge requests · GitLab.com / www-gitlab-com · GitLab

unique · August 23, 2022, 2:35pm

Yes, those details were not in the blog post when I first wrote.

Thanks for helping @iwalker @dnsmichi + @stanhu too.