Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0034 Multiple vulnerabilities have been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) 18 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition and Enterprise Edition Operating System: Linux variants Virtualisation Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-3710 CVE-2017-0927 CVE-2017-0926 CVE-2017-0925 CVE-2017-0924 CVE-2017-0923 CVE-2017-0922 CVE-2017-0918 CVE-2017-0917 CVE-2017-0916 CVE-2017-0915 CVE-2017-0914 Member content until: Saturday, February 17 2018 OVERVIEW Multiple vulnerabilities have been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) prior to versions 10.3.4, 10.2.6, and 10.1.6. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "Remote Code Execution Vulnerability in GitLab Projects Import The GitLab projects import component contained a vulnerability which allowed an attacker to write files to arbitrary directories on the server and that could result in remote code execution. The vulnerability has now been mitigated and is assigned to CVE-2017-0915 and CVE-2018-3710." [1] "GitLab CI Runner Can Read and Poison Cache of All Other Projects A path traversal vulnerability was found in the CI runner, which allowed a malicious user to read and poison other project caches. The issue is now remediated and has been assigned to CVE-2017-0918." [1] "Jupyter Notebook XSS Projects that have Jupyter Notebooks could execute external JavaScript. This XSS vulnerability was caused by unsanitized output in Jupyter Notebooks. The output is now correctly sanitized before being rendered. This issue has been assigned to CVE-2017-0923." [1] "Login with Disabled OAuth Provider via POST OAauth providers are configured per instance and can be disabled from the Admin settings page under "Sign-in Restrictions". It was possible to login with a disabled OAuth provider when bypassing the form with a malicious request. A check has been added to prevent this. This issue has been assigned to CVE-2017-0926." [1] "Sensitive Fields Exposed to Admins / Masters in the Services API The Services API responses were exposing sensitive fields to the Admins and Masters of the service's project. We now filter out those sensitive fields from the Services API responses. This issue has been assigned to CVE-2017-0925." [1] "XSS in Label Dropdown A persistent XSS vulnerability was discovered in the issue/merge request sidebar label dropdown. Label names inside the sidebar label dropdown are now escaped. This issue has been assigned to CVE-2017-0924." [1] "Critical SQL Injection in MilestoneFinder A SQL injection vulnerability was discovered in the MilestoneFinder component. The affected SQL query has now been mitigated. This issue has been assigned to CVE-2017-0914." [1] "Critical Vulnerability with Command Injection via Webhooks A new line injection vulnerability was discovered in the Webhook component that allowed an attacker to inject non-HTTP commands in a TCP stream. The issue has now been mitigated and assigned to CVE-2017-0916." [1] "Cross-site scripting (XSS) vulnerability in CI job output A persistent XSS vulnerability was discovered in the CI job component, and the issue has now been resolved by performing stricter input validation. This issue has been assigned to CVE-2017-0917." [1] "Guest Users Can Give Deploy Keys in Other Projects Write Access An improper authorization vulnerability was discovered in the deployment keys component which resulted in unauthorized use of deployment keys by guest users. The issue has now been resolved and is assigned to CVE-2017-0927. This change altered the /deploy_keys API endpoint, which no longer returns can_push attribute. See our updated documentation." [1] "Milestone Authorization Issue on Boards An authorization bypass vulnerability was discovered in the Boards component which resulted in an information disclosure. The issue has now been resolved and is assigned to CVE-2017-0922." [1] MITIGATION The vendor strongly recommends users upgrade to the latest versions to fix these issues. [1] REFERENCES [1] GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWmAqrox+lLeg9Ub1AQhRBw//Qja8TuxUaxRQv0WkXP/+8fiysHLU+krJ A9Nzla9H9W/goQ92f+fmc9y4+WLCibfZR1wouaB6J72MVCEkVrDpENyLDo6i+Eyw uRO2oOX7ApW/dosbh+h1oFfN7DYZgTdu4WL6JZhktWo20X7dhnG2NtHmTsAtnMWe xGI8/uIwU3xZxNCbjAhB05hsS/kK4IbY9wNYzhZR/igbVWHZYhcIxyurfZZ4YBrR H8BFr9J+w4j0pC+U/qsuZ46EjQU1QoB0lOnaTxdRS2Oh/yQqRR+V4c56Ww444849 DNvoHwoY8O9LOroDwwW0/C5RPPfvrDUMubKPyifwvP/TZpEi+h/UBnfloeVp1g21 wBOLgNQFATT5QAQCzp31N9TSj++3supMAQlBY1/7czt40nksddX5pooRH0XoVDXr g+TPordHSqDLJOHpup0+QGPbtU2BDMqA2E9F5WfVqkpmq13oKK0B3Vp9f3SaoUot O/SX5rm0ZFqpCh+XoeT7Wcl+FAaNAq4On0t2mjrH2273i4m72DDD9irvnpiEsyfo QtoKIh9HoOxGhZiRhh/1SNVc1snUk2Z6l20DqNg+BcEYgbpgH+CoynCMv/LTAaq5 Hl66vqX7ehygchIMW/sIdwzTxXhMG6t1oQ1GKYeL/fGzLb3L96T7gpac+T67aCGZ 6ComjiHfxfY= =CjgM -----END PGP SIGNATURE-----