CVE-2022-2884: GitLab CE/EE RCE Vulnerability

CVE-2022-2884 Overview

CVE-2022-2884 is a critical remote code execution (RCE) vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). This vulnerability exists in the Import from GitHub API endpoint and allows authenticated users to execute arbitrary code on vulnerable GitLab servers. The flaw stems from improper input validation (CWE-78: OS Command Injection) in the GitHub import functionality, enabling attackers with valid credentials to compromise the underlying system.

Critical Impact
Authenticated attackers can achieve full remote code execution on GitLab servers, potentially compromising source code repositories, CI/CD pipelines, secrets, and the underlying infrastructure.

Affected Products

GitLab Community Edition (CE) versions 11.3.4 to 15.1.5
GitLab Enterprise Edition (EE) versions 11.3.4 to 15.1.5
GitLab CE/EE versions 15.2 to 15.2.3
GitLab CE/EE versions 15.3 to 15.3.1

Discovery Timeline

2022-10-17 - CVE-2022-2884 published to NVD
2025-05-14 - Last updated in NVD database

Technical Details for CVE-2022-2884

Vulnerability Analysis

This vulnerability is classified as an OS Command Injection flaw (CWE-78) that resides within GitLab's Import from GitHub API endpoint. The vulnerability allows authenticated users to inject malicious commands through the import functionality, which are then executed with the privileges of the GitLab application server.

The attack is network-accessible and requires low privilege authentication (a valid GitLab user account). No user interaction is required for exploitation. The scope is changed, meaning successful exploitation can affect resources beyond the vulnerable component itself, potentially compromising the entire GitLab infrastructure including connected CI/CD systems, container registries, and stored secrets.

Public exploit code is available through Packet Storm Security, and the vulnerability was initially reported through the HackerOne Bug Bounty Program.

Root Cause

The root cause of CVE-2022-2884 is improper input validation and sanitization in the GitHub import API endpoint. When processing import requests from GitHub, the application fails to adequately validate and sanitize user-controlled input before passing it to system command execution functions. This allows specially crafted input to break out of the intended context and execute arbitrary OS commands on the server.

Attack Vector

The attack vector is network-based, requiring an authenticated user to send specially crafted requests to the Import from GitHub API endpoint. The attacker must have valid credentials for a GitLab account with permissions to create projects and use the import functionality.

The exploitation flow involves:

Authenticating to the GitLab instance with valid user credentials
Crafting a malicious import request targeting the GitHub import API
Injecting OS commands through vulnerable input parameters
Commands execute with GitLab application server privileges

Detailed technical information and proof-of-concept exploit code can be found in the Packet Storm RCE Exploit and the GitLab Issue Discussion.

Detection Methods for CVE-2022-2884

Indicators of Compromise

Unusual or unexpected GitHub import API requests, particularly those with malformed or suspicious parameters
Unexpected processes spawned by GitLab application processes (Puma/Unicorn workers)
Suspicious outbound network connections originating from GitLab server processes
Anomalous file system modifications in GitLab installation directories
Unexpected user or project creation activity correlated with import operations

Detection Strategies

Monitor GitLab application logs for unusual Import from GitHub API activity, especially failed or malformed requests
Implement network-level monitoring for connections to GitLab's import API endpoints with suspicious payloads
Deploy endpoint detection and response (EDR) solutions to identify command injection patterns and unusual process execution chains
Review audit logs for import operations performed by unexpected users or at unusual times
Configure web application firewall (WAF) rules to detect command injection attempts in API requests

Monitoring Recommendations

Enable verbose logging for GitLab import operations and centralize logs for analysis
Set up alerts for process execution anomalies on GitLab servers, particularly shell spawning from application processes
Monitor for unauthorized access to sensitive files such as /etc/passwd, GitLab secrets, and configuration files
Track outbound connections from GitLab servers to unknown or suspicious IP addresses
Implement file integrity monitoring on critical GitLab directories and configuration files

How to Mitigate CVE-2022-2884

Immediate Actions Required

Upgrade GitLab CE/EE to version 15.1.5, 15.2.3, or 15.3.1 or later immediately
If immediate patching is not possible, disable the GitHub import feature through GitLab administration settings
Review audit logs for any suspicious import activity that may indicate prior exploitation
Restrict network access to GitLab instances to trusted networks only
Audit user accounts and remove unnecessary privileges, particularly import permissions

Patch Information

GitLab has released security patches addressing CVE-2022-2884 in the following versions:

GitLab 15.1.5 for the 15.1.x branch
GitLab 15.2.3 for the 15.2.x branch
GitLab 15.3.1 for the 15.3.x branch

Organizations should upgrade to the latest patched version appropriate for their deployment. Detailed patch information is available in the GitLab CVE Definition.

Workarounds

Disable the Import from GitHub feature in GitLab Admin settings until patching is complete
Restrict API access by implementing network-level controls or API gateway policies to limit access to the import endpoints
Implement additional authentication requirements for import operations, such as requiring admin approval
Use GitLab's built-in rate limiting to reduce the potential for automated exploitation attempts
Segment GitLab servers from critical infrastructure to limit lateral movement in case of compromise

bash

# Disable GitHub import feature via Rails console (temporary workaround)
# Access GitLab Rails console
sudo gitlab-rails console

# Disable the import feature
Feature.disable(:import_github)

# Verify the feature is disabled
Feature.enabled?(:import_github)
# Should return: false

CVE-2022-2884 Overview

Critical Impact
Authenticated attackers can achieve full remote code execution on GitLab servers, potentially compromising source code repositories, CI/CD pipelines, secrets, and the underlying infrastructure.

Affected Products

GitLab Community Edition (CE) versions 11.3.4 to 15.1.5
GitLab Enterprise Edition (EE) versions 11.3.4 to 15.1.5
GitLab CE/EE versions 15.2 to 15.2.3
GitLab CE/EE versions 15.3 to 15.3.1

Discovery Timeline

2022-10-17 - CVE-2022-2884 published to NVD
2025-05-14 - Last updated in NVD database

Technical Details for CVE-2022-2884

Vulnerability Analysis

Public exploit code is available through Packet Storm Security, and the vulnerability was initially reported through the HackerOne Bug Bounty Program.

Root Cause

Attack Vector

The exploitation flow involves:

Authenticating to the GitLab instance with valid user credentials
Crafting a malicious import request targeting the GitHub import API
Injecting OS commands through vulnerable input parameters
Commands execute with GitLab application server privileges

Detailed technical information and proof-of-concept exploit code can be found in the Packet Storm RCE Exploit and the GitLab Issue Discussion.

Detection Methods for CVE-2022-2884

Indicators of Compromise

Unusual or unexpected GitHub import API requests, particularly those with malformed or suspicious parameters
Unexpected processes spawned by GitLab application processes (Puma/Unicorn workers)
Suspicious outbound network connections originating from GitLab server processes
Anomalous file system modifications in GitLab installation directories
Unexpected user or project creation activity correlated with import operations

Detection Strategies

Monitor GitLab application logs for unusual Import from GitHub API activity, especially failed or malformed requests
Implement network-level monitoring for connections to GitLab's import API endpoints with suspicious payloads
Deploy endpoint detection and response (EDR) solutions to identify command injection patterns and unusual process execution chains
Review audit logs for import operations performed by unexpected users or at unusual times
Configure web application firewall (WAF) rules to detect command injection attempts in API requests

Monitoring Recommendations

Enable verbose logging for GitLab import operations and centralize logs for analysis
Set up alerts for process execution anomalies on GitLab servers, particularly shell spawning from application processes
Monitor for unauthorized access to sensitive files such as /etc/passwd, GitLab secrets, and configuration files
Track outbound connections from GitLab servers to unknown or suspicious IP addresses
Implement file integrity monitoring on critical GitLab directories and configuration files

How to Mitigate CVE-2022-2884

Immediate Actions Required

Upgrade GitLab CE/EE to version 15.1.5, 15.2.3, or 15.3.1 or later immediately
If immediate patching is not possible, disable the GitHub import feature through GitLab administration settings
Review audit logs for any suspicious import activity that may indicate prior exploitation
Restrict network access to GitLab instances to trusted networks only
Audit user accounts and remove unnecessary privileges, particularly import permissions

Patch Information

GitLab has released security patches addressing CVE-2022-2884 in the following versions:

GitLab 15.1.5 for the 15.1.x branch
GitLab 15.2.3 for the 15.2.x branch
GitLab 15.3.1 for the 15.3.x branch

Organizations should upgrade to the latest patched version appropriate for their deployment. Detailed patch information is available in the GitLab CVE Definition.

Workarounds

Disable the Import from GitHub feature in GitLab Admin settings until patching is complete
Restrict API access by implementing network-level controls or API gateway policies to limit access to the import endpoints
Implement additional authentication requirements for import operations, such as requiring admin approval
Use GitLab's built-in rate limiting to reduce the potential for automated exploitation attempts
Segment GitLab servers from critical infrastructure to limit lateral movement in case of compromise

bash

# Disable GitHub import feature via Rails console (temporary workaround)
# Access GitLab Rails console
sudo gitlab-rails console

# Disable the import feature
Feature.disable(:import_github)

# Verify the feature is disabled
Feature.enabled?(:import_github)
# Should return: false

CVE-2022-2884: GitLab CE/EE RCE Vulnerability

CVE-2022-2884 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-2884

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-2884

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-2884

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-2884: GitLab CE/EE RCE Vulnerability

CVE-2022-2884 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-2884

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-2884

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-2884

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform