Notice for GitKraken users with GitLab

Oct 11, 2021 · 1 min read · Leave a comment
Tanuki GitLab profile

We’re sharing details on a vulnerability found with the Axosoft GitKraken software. Axosoft found a defect in the key gen package used by GitKraken versions 7.6.0 to 8.0.0 that could generate weak or duplicate SSH keys. This could enable an attacker to gain unauthorized access to an account or repositories on GitLab.com or a self-managed instance.

Based on our investigations to date, there is no indication that GitLab.com or any projects on GitLab.com that use the GitKraken tool have been impacted by this vulnerability.

Who is affected?

This vulnerability affects GitKraken users who created SSH keys using GitKraken releases from May 12, 2021 (7.6.0) to the week of September 27, 2021 (8.0.0).

GitKraken 8.0.1, released on September 28, 2021, fixes the bug.

Action we have taken

If affected, action you need to take

If you used a version of GitKraken prior to 8.0.1 to generate SSH keys, we highly recommend that you take the following actions:

Self-managed customers:

  1. Revoke the SSH keys immediately. For additional instructions, see: https://docs.gitlab.com/ee/user/admin_area/credentials_inventory.html#delete-a-users-ssh-key

  2. Update GitKraken to the latest version: https://support.gitkraken.com/release-notes/current/

  3. Generate new SSH keys: https://support.gitkraken.com/integrations/gitlab/#generating-an-ssh-key-for-gitlab

GitLab.com customers:

  1. Update GitKraken to the latest version: https://support.gitkraken.com/release-notes/current/

  2. Generate new SSH keys: https://support.gitkraken.com/integrations/gitlab/#generating-an-ssh-key-for-gitlab

More information can be found in Axosoft’s disclosure: https://www.gitkraken.com/blog/weak-ssh-key-fix and in CVE-2021-41117.

For questions or concerns regarding GitKraken or its use with GitLab, please contact Axosoft (support@gitkraken.com). For questions concerning your GitLab account, please contact our Support department.

“If you are using Axosoft’s GitKraken software with GitLab, upgrade immediately to 8.0.1 or later and update your SSH keys. Get more details in this blog post.” – GitLab

Click to tweet

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license