ESB-2018.3713 - [Win][Linux][Virtual] GitLab: Multiple vulnerabilities 2018-11-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3713
           GitLab Security Release: 11.5.1, 11.4.8, and 11.3.11
                             29 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GitLab
Publisher:         GitLab
Operating System:  Windows
                   Linux variants
                   Virtualisation
Impact/Access:     Access Privileged Data -- Existing Account            
                   Cross-site Scripting   -- Remote with User Interaction
                   Unauthorised Access    -- Remote/Unauthenticated      
                   Reduced Security       -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-19585 CVE-2018-19584 CVE-2018-19583
                   CVE-2018-19582 CVE-2018-19581 CVE-2018-19580
                   CVE-2018-19579 CVE-2018-19578 CVE-2018-19577
                   CVE-2018-19576 CVE-2018-19575 CVE-2018-19574
                   CVE-2018-19573 CVE-2018-19572 CVE-2018-19571
                   CVE-2018-19570 CVE-2018-19569 CVE-2018-19496
                   CVE-2018-19495 CVE-2018-19494 CVE-2018-19493

Original Bulletin: 
   https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/

- --------------------------BEGIN INCLUDED TEXT--------------------

GitLab Security Release: 11.5.1, 11.4.8, and 11.3.11

Today we are releasing versions 11.5.1, 11.4.8, and 11.3.11 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain a number of important security fixes, and we strongly
recommend that all GitLab installations be upgraded to one of these versions
immediately.

The vulnerability details will be made public on our issue tracker in
approximately 30 days.

Please read on for more information regarding this release.

View Names of Private Groups

The Todos dashboard permitted an unauthorized user to view the names of private
groups. The issue is now mitigated in the latest release and is assigned
CVE-2018-19494.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to
us.

Versions Affected

Affects GitLab CE/EE 11.2 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Persistent XSS in Environments

The Environments page contained a lack of input validation and output encoding
issue which resulted in a persistent XSS. The issue is now mitigated in the
latest release and is assigned CVE-2018-19493.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

SSRF in Prometheus integration

The Prometheus integration was vulnerable to an SSRF issue which allowed an
attacker to make requests to any local network resource accessible from the
GitLab server. The issue is now mitigated in the latest release and is assigned
CVE-2018-19495.

Thanks to @bull for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 9.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Unauthorized Promotion of Milestones

Milestones were vulnerable to an insecure object reference issue where a user
with insufficient privilieges could promote a project milestone to a group
milestone. The issue is now mitigated in the latest release and is assigned
CVE-2018-19496.

Thanks to @sandeep_hodkasia for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.2 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Exposure of Confidential Issue Title

The commits listing page in a project permitted an unauthorized user to view
the title of a confidential issue. The issue is now mitigated in the latest
release and is assigned CVE-2018-19577.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.6 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Persisent XSS in Markdown Fields via Mermaid Script

Fields that accept Markdown contained incomplete input validation and output
encoding when accepting Mermaid script, which resulted in a persistent XSS. The
issue is now mitigated in the latest release and is assigned CVE-2018-19573.

Thanks to @fransrosen for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.3 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Persistent XSS in Markdown Fields via Unrecognized HTML Tags

Fields that accept Markdown contained incomplete input validation and output
encoding when accepting unrecognized HTML tags, which resulted in a persistent
XSS. The issue is now mitigated in the latest release and is assigned
CVE-2018-19570.

Thanks to @otr for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.3 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Symlink Race Condition in Pages

GitLab Pages had a symlink race condition that would allow unauthorized access
to files in the Pages chroot. The issue is now mitigated in the latest release
and is assigned CVE-2018-19572.

Thanks to Bastian Blank for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE 8.17 & EE 8.3 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Unauthorized Changes by Guest User in Issues

GitLab issues were vulnerable to an insecure object reference issue that
allowed a Guest user to make changes to, or delete their own comments after an
issue had been made confidential. The issue is now mitigated in the latest
release and is assigned CVE-2018-19576.

Thanks to @sandeep_hodkasia for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.6 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Unauthorized Comments on Locked Issues

GitLab issues were vulnerable to an insecure object reference issue that
allowed an unauthorized user to make comments after an issue had been locked.
The issue is now mitigated in the latest release and is assigned CVE-2018-19575
.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.1 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Improper Enforcement of Token Scope

The GitLab web interface was vulnerable to an authorization issue that allowed
access to the web-UI as a user using their Personal Access Token (PAT) of any
scope. The issue is now mitigated in the latest release and is assigned
CVE-2018-19569.

With this fix, the use of PATs is limited to the API, the RSS feed, and the
registry, which could break any existing automation scripts that don't use the
API. The impact is expected to be limited.

Thanks to Jan Alsenz of Oneconsult AG for responsibly reporting this
vulnerability to us.

Updated: 2018-11-28: We have received reports that this change has impacted how
repo files and job artifacts are downloaded for some users. For instructions on
how to do so through the API, please see our support issue. Thank you to the
users participating in this issue. Your feedback is important to us.

Versions Affected

Affects GitLab CE/EE 8.8 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

CRLF Injection in Project Mirroring

When using the Git protocol, project mirroring was vulnerable to a CRLF
injection vulnerability. The issue is now mitigated in the latest release and
is assigned CVE-2018-19585.

Thanks to @chromium1337 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.18 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

XSS in OAuth Authorization

The OAuth authorization process contained a lack of input validation and output
encoding which resulted in an XSS. The issue is now mitigated in the latest
release and is assigned CVE-2018-19574.

Thanks to @fransrosen for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 7.6 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

SSRF in Webhooks

Webhooks were vulnerable to an SSRF vulnerability that allowed an attacker to
make requests to any local network resource accessible from the GitLab server.
The issue is now mitigated in the latest release and is assigned CVE-2018-19571
.

Thanks to @nyangawa of Chaitin Tech for responsibly reporting this
vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.18 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Send Email on Email Address Change

Previously, GitLab did not send an email to the old email address when an email
address change was made. The issue is now mitigated in the latest release and
is assigned CVE-2018-19580.

Thanks to @muon4 for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Workhorse Logs Contained Tokens

Workhorse was logging access tokens, which allowed administrators with access
to the logs to see the tokens of other users. The issue is now mitigated in the
latest release and is assigned CVE-2018-19583.

Versions Affected

Affects GitLab CE/EE 8.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Unauthorized Publishing of Draft Comments

The discussion drafts endpoint, used in merge requests, contained an insecure
object reference vulnerability that permitted an unauthorized user to publish
the drafts of another user. The issue is now mitigated in the latest release
and is assigned CVE-2018-19582.

Thanks to @lucky_sen for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 11.4 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Guest Can Set Weight of a New Issue

GitLab issues were vulnerable to an insecure object reference issue that
allowed a Guest user to set the weight of an issue they created. The issue is
now mitigated in the latest release and is assigned CVE-2018-19581.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 8.3 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Disclosure of Private Group's Members and Milestones

An insecure direct object reference vulnerability in issue boards allowed
authenticated, but unauthorized users to view members and milestone details of
private groups. The issue is now mitigated in the latest release and is
assigned CVE-2018-19584.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 11.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Persisent XSS in Operations

The Operations page contained a lack of input validation and output encoding
which resulted in a persistent XSS. The issue is now mitigated in the latest
release and is assigned CVE-2018-19579.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 11.5.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Reporter Can View Operations Page

Due to incomplete permissions validation, a user with Reporter privileges was
permitted to view the Jaeger Tracing Operations page. The issue is now
mitigated in the latest release and is assigned CVE-2018-19578.

Thanks to @vijay_kumar1110 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 11.5.

Remediation

We strongly recommend that all installations running an affected version above
to be upgraded to the latest version as soon as possible.

Upgrade to Redis 3.2.12

The version of Redis used in the Omnibus package was upgraded in the GitLab
11.3 release. This upgrade was previously included in GitLab 11.4 and 11.5
Omnibus packages, and includes several security fixes. The upgrade to Redis was
incorrectly reported in the October security release.

Updating

To update, check out our update page.

GitLab Security Release: 11.5.1, 11.4.8, and 11.3.11

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/90kmaOgq3Tt24GAQgIQQ/+MiKAn3UBbffm25ASC8b6OH2GB9e7/D2g
5ywUXzE3DK4x1fq7ndvFA8Wza2E0nJiZrJCrmwBtawT1FcDhDNhrnjtRKI8rSwmb
OaVafozHRIe0mgSBMUa4j8Z9FMYqgL8FIrXyXtI9RJ+zO7kraslv9Xl66cDiT4rT
7eMYtIfuwBlWYbFjhCHsrB00Mfd0omrfeFVoRK8fZ9iEQDoTGxR2pvEZZxqRNXg2
qR8kV3Y9pypGtCBndxLQ33GorgjwZPBykG4kSK9d4yOEL7INuJ+D8vUgej4/jcN6
OspRVXEPr1rZgf1XkakfBcFz913ldtQTCH+2YburlEVaeNizFLVQPU/7i5MGzxP8
3WB2m58uThi/OMH+uPL5xQyN3tbox8PuZMMnCAWp6WgucCVMszL+md7Wtjxg4Z4/
2G9jifqiduJdgmftS1c9Sq7i4lI3sezLsVA1y3/ufZn2MVfdCCM6LY63+0ee//pP
NB62WfvGdkz+OdH7Y5w43PWbHujPeyYd7Gg/Dr+taDmj9a1l3+wIkFbZGtpc3yXX
DYjzY+rq+HMsX0sp2q+fBAR9f9/zTMrttOtmdc5XEgQh0GAK/mNQo9DlykP3uoiL
NKUH2z67x5mifLNE35topsd93znOh/4YZuw3pK1HGmEQ1NtyJBBnICRia2BvtW3B
oF0H7JOnimg=
=ID4Q
-----END PGP SIGNATURE-----

« Back to bulletins