We want to share the actions we’ve taken in response to the critical Rubygems ‘Unauthorized gem takeover for some gems’ vulnerability (CVE-2022-29176). Upon becoming aware of the vulnerability within Rubygems.org, we immediately began our investigation and contacted Rubygems who quickly patched the vulnerability. Our Security team tested the usage of gems within our product and across our company and found gems within GitLab from Rubygems.org were no longer vulnerable.
At this time, no malicious activity, exploitation, or indicators of compromise have been identified within GitLab.com and customer data. Further, our team’s review of gems used in the GitLab product showed no indication of compromise or integrity violations.
There is no action needed by GitLab.com or self-managed users.
Our teams are continuing to investigate and monitor this issue to help protect our products and customers. We will update this blog post and notify users via a GitLab security alert with any future, related updates.
- For more information about this vulnerability, see the Rubygems.org security advisory: https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79.
- If you've got a security question or concern, review how to contact our Support team.
- Subscribe to our security alerts mailing list (you’ll receive important security alerts and notifications via email).
- For our recommended security practices for GitLab users, see our “Security hygiene best practices” blog post.
- If you are an administrator of your own self-managed GitLab instance, consider reading our secure configuration advice.