GitLab Community Edition and Enterprise Edition: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0034
          Multiple vulnerabilities have been identified in GitLab
            Community Edition (CE) and Enterprise Edition (EE)
                              18 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              GitLab Community Edition and Enterprise Edition
Operating System:     Linux variants
                      Virtualisation
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Modify Arbitrary Files          -- Existing Account            
                      Cross-site Scripting            -- Remote with User Interaction
                      Reduced Security                -- Remote/Unauthenticated      
                      Access Confidential Data        -- Existing Account            
                      Unauthorised Access             -- Existing Account            
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-3710 CVE-2017-0927 CVE-2017-0926
                      CVE-2017-0925 CVE-2017-0924 CVE-2017-0923
                      CVE-2017-0922 CVE-2017-0918 CVE-2017-0917
                      CVE-2017-0916 CVE-2017-0915 CVE-2017-0914
Member content until: Saturday, February 17 2018

OVERVIEW

        Multiple vulnerabilities have been identified in GitLab Community 
        Edition (CE) and Enterprise Edition (EE) prior to versions 10.3.4, 
        10.2.6, and 10.1.6. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "Remote Code Execution Vulnerability in GitLab Projects Import The 
        GitLab projects import component contained a vulnerability which 
        allowed an attacker to write files to arbitrary directories on the 
        server and that could result in remote code execution. The 
        vulnerability has now been mitigated and is assigned to 
        CVE-2017-0915 and CVE-2018-3710." [1]
        
        "GitLab CI Runner Can Read and Poison Cache of All Other Projects A
        path traversal vulnerability was found in the CI runner, which 
        allowed a malicious user to read and poison other project caches. 
        The issue is now remediated and has been assigned to CVE-2017-0918."
        [1]
        
        "Jupyter Notebook XSS Projects that have Jupyter Notebooks could 
        execute external JavaScript. This XSS vulnerability was caused by 
        unsanitized output in Jupyter Notebooks. The output is now correctly
        sanitized before being rendered. This issue has been assigned to 
        CVE-2017-0923." [1]
        
        "Login with Disabled OAuth Provider via POST OAauth providers are 
        configured per instance and can be disabled from the Admin settings
        page under "Sign-in Restrictions".
        
        It was possible to login with a disabled OAuth provider when 
        bypassing the form with a malicious request. A check has been added
        to prevent this. This issue has been assigned to CVE-2017-0926." [1]
        "Sensitive Fields Exposed to Admins / Masters in the Services API 
        The Services API responses were exposing sensitive fields to the 
        Admins and Masters of the service's project. We now filter out those
        sensitive fields from the Services API responses. This issue has 
        been assigned to CVE-2017-0925." [1]
        
        "XSS in Label Dropdown A persistent XSS vulnerability was discovered
        in the issue/merge request sidebar label dropdown. Label names 
        inside the sidebar label dropdown are now escaped. This issue has 
        been assigned to CVE-2017-0924." [1]
        
        "Critical SQL Injection in MilestoneFinder A SQL injection 
        vulnerability was discovered in the MilestoneFinder component. The 
        affected SQL query has now been mitigated. This issue has been 
        assigned to CVE-2017-0914." [1]
        
        "Critical Vulnerability with Command Injection via Webhooks A new 
        line injection vulnerability was discovered in the Webhook component
        that allowed an attacker to inject non-HTTP commands in a TCP 
        stream. The issue has now been mitigated and assigned to 
        CVE-2017-0916." [1]
        
        "Cross-site scripting (XSS) vulnerability in CI job output A 
        persistent XSS vulnerability was discovered in the CI job component,
        and the issue has now been resolved by performing stricter input 
        validation. This issue has been assigned to CVE-2017-0917." [1]
        
        "Guest Users Can Give Deploy Keys in Other Projects Write Access An
        improper authorization vulnerability was discovered in the 
        deployment keys component which resulted in unauthorized use of 
        deployment keys by guest users. The issue has now been resolved and
        is assigned to CVE-2017-0927. This change altered the /deploy_keys 
        API endpoint, which no longer returns can_push attribute. See our 
        updated documentation." [1]
        
        "Milestone Authorization Issue on Boards An authorization bypass 
        vulnerability was discovered in the Boards component which resulted
        in an information disclosure. The issue has now been resolved and is
        assigned to CVE-2017-0922." [1]


MITIGATION

        The vendor strongly recommends users upgrade to the latest versions
        to fix these issues. [1]


REFERENCES

        [1] GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6
            https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmAqrox+lLeg9Ub1AQhRBw//Qja8TuxUaxRQv0WkXP/+8fiysHLU+krJ
A9Nzla9H9W/goQ92f+fmc9y4+WLCibfZR1wouaB6J72MVCEkVrDpENyLDo6i+Eyw
uRO2oOX7ApW/dosbh+h1oFfN7DYZgTdu4WL6JZhktWo20X7dhnG2NtHmTsAtnMWe
xGI8/uIwU3xZxNCbjAhB05hsS/kK4IbY9wNYzhZR/igbVWHZYhcIxyurfZZ4YBrR
H8BFr9J+w4j0pC+U/qsuZ46EjQU1QoB0lOnaTxdRS2Oh/yQqRR+V4c56Ww444849
DNvoHwoY8O9LOroDwwW0/C5RPPfvrDUMubKPyifwvP/TZpEi+h/UBnfloeVp1g21
wBOLgNQFATT5QAQCzp31N9TSj++3supMAQlBY1/7czt40nksddX5pooRH0XoVDXr
g+TPordHSqDLJOHpup0+QGPbtU2BDMqA2E9F5WfVqkpmq13oKK0B3Vp9f3SaoUot
O/SX5rm0ZFqpCh+XoeT7Wcl+FAaNAq4On0t2mjrH2273i4m72DDD9irvnpiEsyfo
QtoKIh9HoOxGhZiRhh/1SNVc1snUk2Z6l20DqNg+BcEYgbpgH+CoynCMv/LTAaq5
Hl66vqX7ehygchIMW/sIdwzTxXhMG6t1oQ1GKYeL/fGzLb3L96T7gpac+T67aCGZ
6ComjiHfxfY=
=CjgM
-----END PGP SIGNATURE-----