CVE-2018-14364

high-risk
Published 2018-07-18

GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component.

Do I need to act?

!
39.7% chance of exploitation in next 30 days
EPSS score — higher than 60% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: ba3d9cf06aa7f2e77362ec32dd43f04ae1c6608c, ba3d9cf06aa7f2e77362ec32dd43f04ae1c6608c, 6b5c78f6ca15386fd084425daaefb299412c9adc, 6b5c78f6ca15386fd084425daaefb299412c9adc, 3350cd6004d8e80c55af990a1b5ccd60a6bf5350, 3350cd6004d8e80c55af990a1b5ccd60a6bf5350
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Gitlab

References (6)

Vendor Advisory https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-do...
Exploit https://gitlab.com/gitlab-org/gitlab-ce/issues/49133
Exploit https://hackerone.com/reports/378148
Vendor Advisory https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-do...
Exploit https://gitlab.com/gitlab-org/gitlab-ce/issues/49133
Exploit https://hackerone.com/reports/378148
56
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 17/34 · Moderate
Exposure 7/34 · Low