0

The module libxml2 contained in several components of GitLab version 14.9.x is vulnerable to out-of-bounds memory writes as described in https://security-tracker.debian.org/tracker/CVE-2022-29824. GitLab seems to not patching it or mitigating the risk in the latest stable version 14.10.x. Actually I even cannot find any article on the internet about this problem in relation to GitLab.

Does anyone know why? Is it because it just does not affect GitLab?

I am using the self managed version of GitLab.

duyhung
  • 1
  • 1
  • 1
    If you think this should be fixed, please contact GitLab security department via email security@gitlab.com – Tony Yip May 12 '22 at 06:29
  • `Exploitation requires a victim to open a crafted, multi-gigabyte XML file` my guess is that GitLab does not use libxml2 to process large XML files (like junit reports), as files of this size are generally rejected by NGINX/Workhorse to begin with. – sytech May 12 '22 at 16:34

0 Answers0