CVE-2013-4489

Name of the Vulnerable Software and Affected Versions GitLab versions 5.2 through 5.4.1 GitLab versions 6.x through 6.2.3

Description The issue allows remote authenticated users to execute arbitrary commands. This is demonstrated by the search box for the GitLab code search feature. The problem is caused by a flaw in the app/contexts/search context.rb script, where input passed via the code search box is not properly sanitized, allowing strings to be evaluated by the shell.

Recommendations For GitLab versions 5.2 through 5.4.1, update to version 5.4.1 or later. For GitLab versions 6.x through 6.2.3, update to version 6.2.3 or later. As a temporary workaround, consider restricting access to the code search feature until a patch is available. Avoid using the code search box with unsanitized input until the issue is resolved.