cbcvebase.
CVE-2018-14364
published 2018-07-18

CVE-2018-14364: GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
50.08%
98.8th percentile
GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 10.7.7+dfsg-2 (sid)gitlab 10.7.7+dfsg-2 (sid)
gitlabgitlab< 10.7.710.7.7
gitlabgitlab
gitlabgitlab>= 10.8.0 < 10.8.610.8.6
gitlabgitlab>= 11.0 < 11.0.411.0.4

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploited via the GitLab projects import component, allowing directory traversal with write access leading to remote code execution. Monitor for suspicious file writes outside expected project directories triggered by import operations.
  • ·Affected versions are GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4. Ensure instances are patched to these fixed versions or later.
  • ·Debian sid package resolved the issue in version 10.7.7+dfsg-2. Verify Debian-based deployments are running this package version or newer.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.