Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0205 GitLab Security Release: 11.2.3, 11.1.6, and 11.0.6 31 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Operating System: Linux variants Windows Virtualisation Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade Member content until: Sunday, September 30 2018 OVERVIEW Vulnerabilities have been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) prior to versions 11.2.3, 11.1.6, and 11.0.6. [1] IMPACT The vendor has provided the following information regarding the vulnerability: "Persistent XSS in Pipeline Tooltip The tooltip of the job inside the CI/CD pipeline was not properly sanitized which resulted in a persistent XSS. The issue is now resolved in the latest release and will be assigned a CVE shortly. Thanks to @fransrosen for responsibly reporting this vulnerability to us." [1] "GitLab.com GCP Endpoints Exposure Zeroconf endpoints in Google Cloud Platform (GCP) would have been accessible via webhooks post-migration. The issue is now resolved in the latest release for gitlab.com. Thanks to @fransrosen and @avlidienbrunn for responsibly reporting this vulnerability to us." [1] "Persistent XSS in Merge Request Changes View The Merge Request Changes view was not properly sanitizing certain hunk locations which resulted in a persistent XSS. The issue is now resolved in the latest release and will be assigned a CVE shortly. Thanks to @fransrosen for responsibly reporting this vulnerability to us." [1] "Sensitive Data Disclosure in Sidekiq Logs The project import url credentials were being output to the Sidekiq logs. The issue is now resolved in the latest release and will be assigned a CVE shortly. Thanks to @kevinksd and @Johlandabee for responsibly reporting this vulnerability to us." [1] "Missing CSRF in System Hooks There is a CSRF Vulnerability which allows an attacker to resend requests to multiple hooks. The "resend request" CSRF token is missing. For this reason attacker can trick user of gitlab to perform an unwanted action on a System Hook for which the user is currently authenticated. Thanks to Lyubomir Tsirkov for responsibly reporting this vulnerability to us." [1] "Orphaned Upload Files Exposure Through various bugs, it is possible to orphan a project upload file so that it is not tracked by the uploads table. If the project is moved, then it is possible for another user to create a new project with the same path. Exporting that project will contain the orphaned file, and thus exposing data. The issue is now resolved in the latest release and will be assigned a CVE shortly." [1] "Missing Authorization Control API Repository Storage Regular users are currently able to change the repository storage value using the API. The issue is now resolved in the latest release and will be assigned a CVE shortly." [1] MITIGATION GitLab versions 11.2.3, 11.1.6, and 11.0.6 have been released which address this vulnerability. The vendor advises: "Remediation We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible." [1] REFERENCES [1] GitLab Security Release: 11.2.3, 11.1.6, and 11.0.6 https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW4jBd2aOgq3Tt24GAQiSkA/8Dx6fCSN5MYJnzoFMk4ejgWEVb0sagoiq rdTHgujsBylt4gevydQr34z3KqcP9nu8pWQugL7yWXTrOXj/LmDgemhtKigzLI80 gMpU2+pEenJ4sjCEMQm59eJoWaQFTn8fb9UTmyYGpmvcRDKgvmcBa0yMAOyvtYE3 yIUm7VTwSp1LzhOSM5FLmrzMciBXwQmsMh+G8Rg01CcdZLxWrHJYKgL1YqmPPmQm vItDq6evsj2LdKFuN+9zIAPUZTyALXl6hd8BsRFWwCXyCkchEFXIZMeHmz0TYLAK 1S2mHrkrU5HP1o1YQNWBR4NOIHFmAEoqHtgXBSOxexdWyf0P4dJ8REB/iFVg5a7+ nEqIRweuhh4L3ld7aAPZtqZ1mSvGbos0++J60XwxZXddNaZHepPlybWleejXAU7+ LJT0QU5LlkGbyMXy62ii0ugBhCBrgITOqrdwPUH0prH4irRg/Wgf39R7f21f7Wt7 anJ4DNG8ft88OpUagsHCXY19PDQB0MJlyPQciTZNfGXDVlXwNImQKNlE+JTXJ4dg PJttUxnar7CTcdTW2p8lmnvvp2mdpaSu6mOX6IVQOiRNJUXd+wdbmYtN8704kl3j rx6yXQ1kNgU8n4FHbKVyLV+ua0ap2Om7HMLVdatAUMZTo5f3dHRM7ddbYcvhNxv1 RtaA0DSoMbs= =v51R -----END PGP SIGNATURE-----