Blog Security Updates regarding Spring remote code execution vulnerabilities CVE-2022-22965 and CVE-2022-22963
Published on: April 7, 2022
1 min read

Updates regarding Spring remote code execution vulnerabilities CVE-2022-22965 and CVE-2022-22963

Actions we've taken to investigate the Spring RCE vulnerabilities.

security-cover.png

We want to share the actions we’ve taken in response to the critical Spring remote code execution vulnerabilities (CVE-2022-22965 and CVE-2022-22963). Upon becoming aware of the vulnerabilities, we immediately mobilized our Security and Engineering teams to determine usage of this software component and its potential impact within our product, across our company, and within our third-party software landscapes.

At this time, no malicious activity, exploitation, or indicators of compromise have been identified on GitLab.com. Further, our product packaged Java components for both GitLab.com and self-managed instances do not use vulnerable Spring components, and thus are not vulnerable.

Our teams are continuing to investigate and monitor this issue to help protect our products and customers. We will update this blog post and notify users via a GitLab security alert with any future, related updates.

More information

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert