Most are resolved by upgrading to versions 14.1.7, 14.2.5, or 14.3.1.
Approximately 30 vulnerabilities impacting the Git repository manager and DevOps platform GitLab have been disclosed over the last 24 hours. The majority appear to be responsible disclosures of the vulnerabilities recently discussed in this official patch advisory from the 31st of September.
It should be noted for those considering upgrading to 14.3.1 that a 14.3.2 upgrade was released the following day that “resolves an number of regressions and bugs in the 14.3 release” indicating there may be issues with the 14.3.1 version.
Below is a brief summary of the 4 “high” rated vulnerabilities recorded on the National Vulnerability Database (NVD). The first 3 are mentioned in the advisory and the 4th appears to have also recently been patched.
CVE-2021-39877 – An attacker can cause uncontrolled resource consumption with a malicious file.
Though the impacted versions and mitigations vary by CVE, most CVEs are resolved by upgrading to 14.1.7, 14.2.5 or 14.3.1.
Please consult the GitLab advisory and specific CVEs for more details, including impacted versions.