Arch Linux Security Advisory ASA-202104-1

Severity: Critical
Date    : 2021-04-29
CVE-ID  : CVE-2021-22205 CVE-2021-28965
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    :


The package gitlab before version 13.10.3-1 is vulnerable to multiple
issues including arbitrary code execution and incorrect calculation.


Upgrade to 13.10.3-1.

# pacman -Syu "gitlab>=13.10.3-1"

The problems have been fixed upstream in version 13.10.3.




- CVE-2021-22205 (arbitrary code execution)

An issue has been discovered in GitLab CE/EE affecting all versions
starting from 11.9. GitLab was not properly validating image files that
is passed to a file parser which resulted in a remote command
execution. The issue is fixed in GitLab versions 13.10.3, 13.9.6 and

- CVE-2021-28965 (incorrect calculation)

When parsing and serializing a crafted XML document, the REXML gem
(including the one bundled with Ruby) can create a wrong XML document
whose structure is different from the original one. The impact of this
issue highly depends on context, but it may lead to a vulnerability in
some programs that are using REXML. The issue is fixed in version 3.2.5
of the REXML gem.


An attacker can crash or execute arbitrary code on the affected server
by providing a maliciously crafted XML or image file.