Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3250
GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5
4 July 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Publisher: Gitlab
Operating System: Windows
Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2022-2281 CVE-2022-2270 CVE-2022-2250
CVE-2022-2244 CVE-2022-2243 CVE-2022-2235
CVE-2022-2230 CVE-2022-2229 CVE-2022-2228
CVE-2022-2227 CVE-2022-2185 CVE-2022-1999
CVE-2022-1983 CVE-2022-1981 CVE-2022-1963
CVE-2022-1954
Original Bulletin:
https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/
Comment: CVSS (Max): 9.9 CVE-2022-2185 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: GitlLab
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5
Learn more about GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5
for GitLab Community Edition (CE) and Enterprise Edition (EE).
Today we are releasing versions 15.1.1, 15.0.4, and 14.10.5 for GitLab
Community Edition (CE) and Enterprise Edition (EE). Please note, this critical
release will also serve as our monthly security release for June.
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a
product is mentioned, this means all types are affected.
Table of Fixes
Title Severity
Remote Command Execution via Project Imports critical
XSS in ZenTao integration affecting self hosted instances without high
strict CSP
XSS in project settings page high
Unallowed users can read unprotected CI variables high
IP allow-list bypass to access Container Registries medium
2FA status is disclosed to unauthenticated users medium
Restrict membership by email domain bypass medium
IDOR in sentry issues medium
Reporters can manage issues in error tracking medium
CI variables provided to runners outside of a group's restricted IP medium
range
Regular Expression Denial of Service via malicious web server medium
responses
Unauthorized read for conan repository low
Open redirect vulnerability low
Group labels are editable through subproject low
Release titles visible for any users if group milestones are low
associated with any project releases
Job information is leaked to users who previously were maintainers via medium
the Runner Jobs API endpoint
Remote Command Execution via Project Imports
A critical issue has been discovered in GitLab affecting all versions starting
from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1
where an authorised user could import a maliciously crafted project leading to
remote code execution. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/
PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9). It is now mitigated in the latest release and
is assigned CVE-2022-2185.
Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty
program.
XSS in ZenTao integration affecting self hosted instances without strict CSP
Insufficient sanitization in GitLab EE's external issue tracker affecting all
versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to
15.1.1 allows an attacker to perform cross-site scripting when a victim clicks
on a maliciously crafted ZenTao link. This is a high severity issue (CVSS:3.1/
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest
release and is assigned CVE-2022-2235.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.
XSS in project settings page
A Stored Cross-Site Scripting vulnerability in the project settings page in
GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to
15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary
JavaScript code in GitLab on a victim's behalf. This is a high severity issue
(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N, 8.1). It is now mitigated in the
latest release and is assigned CVE-2022-2230.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty
program.
Unallowed users can read unprotected CI variables
An improper authorization issue in GitLab CE/EE affecting all versions from
13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an
attacker to extract the value of an unprotected variable they know the name of
in public projects or private projects they're a member of. This is a high
severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5). It is now
mitigated in the latest release and is assigned CVE-2022-2229.
Thanks shell3c for reporting this vulnerability through our HackerOne bug
bounty program.
IP allow-list bypass to access Container Registries
Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to
14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker
already in possession of a valid Deploy Key or a Deploy Token to misuse it from
any location to access Container Registries even when IP address restrictions
were configured. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/
S:U/C:H/I:H/A:N, 6.5). It is now mitigated in the latest release and is
assigned CVE-2022-1983.
This issue was found internally by a member of the GitLab team.
2FA status is disclosed to unauthenticated users
An issue has been discovered in GitLab CE/EE affecting all versions starting
from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all
versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled
two-factor authentication on their account in the HTML source, to
unauthenticated users. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N
/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is
assigned CVE-2022-1963.
Thanks albatraoz for reporting this vulnerability through our HackerOne bug
bounty program.
CI variables provided to runners outside of a group's restricted IP range
Information exposure in GitLab EE affecting all versions from 12.0 prior to
14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with
the appropriate access tokens to obtain CI variables in a group with using
IP-based access restrictions even if the GitLab Runner is calling from outside
the allowed IP range. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/
UI:R/S:U/C:H/I:N/A:N, 5.3). It is now mitigated in the latest release and is
assigned CVE-2022-2228.
This vulnerability has been discovered internally by the GitLab team
Restrict membership by email domain bypass
An issue has been discovered in GitLab EE affecting all versions starting from
12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In
GitLab, if a group enables the setting to restrict access to users belonging to
specific domains, that allow-list may be bypassed if a Maintainer uses the
'Invite a group' feature to invite a group that has members that don't comply
with domain allow-list. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/
PR:H/UI:N/S:U/C:H/I:H/A:N, 5.9). It is now mitigated in the latest release and
is assigned CVE-2022-1981.
Thanks muthu_prakash for reporting this vulnerability through our HackerOne bug
bounty program.
IDOR in sentry issues
An access control vulnerability in GitLab EE/CE affecting all versions from
14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows
authenticated users to enumerate issues in non-linked sentry projects. This is
a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0). It
is now mitigated in the latest release and is assigned CVE-2022-2243.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.
Reporters can manage issues in error tracking
An improper authorization vulnerability in GitLab EE/CE affecting all versions
from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1,
allows project memebers with reporter role to manage issues in project's error
tracking feature. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N
/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is
assigned CVE-2022-2244.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.
Regular Expression Denial of Service via malicious web server responses
A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting
all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior
to 15.1.1 allows an attacker to make a GitLab instance inaccessible via
specially crafted web server response headers. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the
latest release and is assigned CVE-2022-1954.
Thanks afewgoats for reporting this vulnerability through our HackerOne bug
bounty program.
Unauthorized read for conan repository
An issue has been discovered in GitLab affecting all versions starting from
12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all
versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages
names due to incorrect permissions verification. This is a low severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is now mitigated in the
latest release and is assigned CVE-2022-2270.
Thanks fushbey for reporting this vulnerability through our HackerOne bug
bounty program.
Open redirect vulnerability
An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1
prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows
redirect users to a malicious location. This is a low severity issue (CVSS:3.1/
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, 4.7). It is now mitigated in the latest
release and is assigned CVE-2022-2250.
Thanks stealthy for reporting this vulnerability through our HackerOne bug
bounty program.
Group labels are editable through subproject
An issue has been discovered in GitLab CE/EE affecting all versions from 8.13
prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain
conditions, using the REST API an unprivileged user was able to change labels
description. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N
/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned
CVE-2022-1999.
This vulnerability has been discovered internally by the GitLab team.
Release titles visible for any users if group milestones are associated with
any project releases
An information disclosure vulnerability in GitLab EE affecting all versions
from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1,
allows disclosure of release titles if group milestones are associated with any
project releases. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/
S:U/C:L/I:N/A:N, 2.6). It is now mitigated in the latest release and is
assigned CVE-2022-2281.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne
bug bounty program.
Job information is leaked to users who previously were maintainers via the
Runner Jobs API endpoint
Improper access control in the runner jobs API in GitLab CE/EE affecting all
versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1
allows a previous maintainer of a project with a specific runner to access job
and project meta data under certain conditions. This is a low severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N , 3.1). It is now mitigated in
the latest release and is assigned CVE-2022-2227.
Thanks vaib25vicky for reporting this vulnerability through our HackerOne bug
bounty program.
Update rack
The version of rack has been updated to 2.2.3.1 in order to mitigate security
concerns.
Versions affected
Affects all versions of GitLab CE/EE
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.
Receive Security Release Notifications
To receive security release blog notifications delivered to your inbox, visit
our contact us page. To receive release notifications via RSS, subscribe to our
security release RSS feed or our RSS feed for all releases.
GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5 Click to tweet!
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYsKRuckNZI30y1K9AQgOMw//Yo+9GbJTCud5DJQlyyRYzYNw/t0aZmBR
Kxp6Ya9LGolKeIWwFXAojBRzGbxFNfbIxDEaavqPCYnVQnu96PCdr75tmUemDRd7
yMeZ1A+2p+4DM+cgWzMz1Ta/7ZUGn2I0G4MshkgH1B34ntOlnJYvAaJrcZ/tU5Oz
NpCa6+pbnl/+aOYWL7YkLJ80tdx9jxrNZt0Ml6+0tqPj+CIB75QQbhYpOumWFXTT
QJIvTdLFo3Tae6UOp5hx91aySwqNur4fpn0nPASkHI9auzsCpesPXfxJ2833BU0y
Rw5RmFTE4rmJqiDum/O14NOKGH6wfzlHiWAMSHc/3NS4QKFJfuIN11PjfEFDCkWP
AAr/7XCmeWeL1bQR15FHL7xo0mb5bcI4SB488zjak3c5f+mIDnujjBrEguBQE1t2
wQXMTfBg/hUCCpDfZ0dH8XR1VYAscMaA2icACsqHvCvouwV9xDoQfUGFKHyCDzme
QtcNLnJNLsUhtm06ZiPBYHCiJvxue9qi2rwgDVCWIeSXT+NhJ3prQ3SnI/GEnrqA
Yly+9dpem7mVTFd6le1IlppWmuiMlvb+X7gSvCDMQURBspDLWSEZS0VEeBU6IiBv
qoGwm5NhkFhV64ZINdk8kbZEFMEfTR3msLTNrba46JmmNyf+oDr1VsmMtOF3xPf2
uk1chr9Qz7k=
=LfHR
-----END PGP SIGNATURE-----