RULE(RULE ID:321618)

Rule General Information
Release Date: 2018-12-18
Rule Name: GitLab Wiki API Attachments Command Injection Vulnerability(CVE-2018-18649)
Severity:
CVE ID:
Rule Protection Details
Description: An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution. The vulnerability is due to improper validation of parameters when uploading files to the Wiki repository via the Wiki API.
Impact: An attacker can execute arbitrary command via a successful exploit in the context of the vulnerable software. A remote, authenticated attacker can exploit the vulnerability by sending a crafted request to the target server. Successful exploitation could result in the execution of arbitrary code as the git user.
Affected OS: Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android
Reference: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/
https://gitlab.com/gitlab-org/gitlab-ce/issues/53072
Solutions
Upgrading to version 11.2.7, 11.3.8 or 11.4.3 eliminates this vulnerability.