We found security vulnerabilities on the latest images

stunning_computer_3 · February 8, 2023, 4:14am

We have deployed community edition on our on-prem k8 cluster. We scanned the images that are used in the helm chart with Jfrog’s xray image scanner. We found several critical vulnerabilities. We have data to share but we would like to share privately and get your feedback.

Here is a critical vulnerability:

Issue id	CVES	CVSS3 score	Vulnerable Component	Summary	Fixed versions	Package type	Severity	Published	Provider	Impacted Artifact	Path	Impact Path	Artifact Scan Time	References	Description
XRAY-260010	CVE-2022-32221	9.8	deb://debian:bullseye:curl:7.74.0-1.3+deb11u3	When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.	≥ 7.74.0-1.3+deb11u5	debian	Critical	2022-10-28	JFrog	docker://gitlab/gitlab-shell:v15.8.0	klstg-docker-local/gitlab-shell/v15.8.0/	docker:/gitlab/gitlab-shell:v15.8.0 generic://sha256:93526070b475176fc4ed1c11299023804e8fad8345e1bf7a56b0ce74514ff337/sha256__93526070b475176fc4ed1c11299023804e8fad8345e1bf7a56b0ce74514ff337.tar.gz deb://debian:bullseye:curl:7.74.0-1.3+deb11u3	2023-02-01		When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

iwalker · February 8, 2023, 8:02am

Maybe try Gitlab 15.8.1, that looks like you are running 15.8.0. 15.8.1 was released to address certain CVE’s.

stunning_computer_3 · February 20, 2023, 4:42am

Hello @iwalker
Thanks for the suggestion. We updated all the images to 15.8.1
The CVEs are reduced in numbers but still there are 98 critical and high vulnerabilities which are unique.
We stored the report here- Gitlab CVEs 15.8.1.xlsx - Google Sheets
Thanks for your support. Let us know your comment on the report.

iwalker · February 20, 2023, 6:25am

Well, I’m not a Gitlab employee so cannot comment. I’m just a Gitlab user and community member. 15.8.3 has been released, maybe that will address some of them. But basically all you can do is wait until GItlab releases a new version that fixes it. Alternatively, open an issue here: Issues · GitLab.org / GitLab · GitLab so that the devs can maybe look at it. Devs don’t really visit the forum, since they concentrate on reported issues.