We want to share the actions we’ve taken in response to the critical Spring remote code execution vulnerabilities (CVE-2022-22965 and CVE-2022-22963). Upon becoming aware of the vulnerabilities, we immediately mobilized our Security and Engineering teams to determine usage of this software component and its potential impact within our product, across our company, and within our third-party software landscapes.
At this time, no malicious activity, exploitation, or indicators of compromise have been identified on GitLab.com. Further, our product packaged Java components for both GitLab.com and self-managed instances do not use vulnerable Spring components, and thus are not vulnerable.
Our teams are continuing to investigate and monitor this issue to help protect our products and customers. We will update this blog post and notify users via a GitLab security alert with any future, related updates.
More information
- If you've got a security question or concern, review how to contact our Support team.
- Subscribe to our security alerts mailing list (you’ll receive important security alerts and notifications via email).
- For our recommended security practices for GitLab users, see our “Security hygiene best practices” blog post.
- If you are an administrator of your own self-managed GitLab instance, consider reading our secure configuration advice.
