Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0205
GitLab Security Release: 11.2.3, 11.1.6, and 11.0.6
31 August 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab
Operating System: Linux variants
Windows
Virtualisation
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
Member content until: Sunday, September 30 2018
OVERVIEW
Vulnerabilities have been discovered in GitLab Community Edition (CE)
and Enterprise Edition (EE) prior to versions 11.2.3, 11.1.6, and
11.0.6. [1]
IMPACT
The vendor has provided the following information regarding the
vulnerability:
"Persistent XSS in Pipeline Tooltip
The tooltip of the job inside the CI/CD pipeline was not properly
sanitized which resulted in a persistent XSS. The issue is now
resolved in the latest release and will be assigned a CVE shortly.
Thanks to @fransrosen for responsibly reporting this vulnerability to
us." [1]
"GitLab.com GCP Endpoints Exposure
Zeroconf endpoints in Google Cloud Platform (GCP) would have been
accessible via webhooks post-migration. The issue is now resolved in
the latest release for gitlab.com.
Thanks to @fransrosen and @avlidienbrunn for responsibly reporting
this vulnerability to us." [1]
"Persistent XSS in Merge Request Changes View
The Merge Request Changes view was not properly sanitizing certain
hunk locations which resulted in a persistent XSS. The issue is now
resolved in the latest release and will be assigned a CVE shortly.
Thanks to @fransrosen for responsibly reporting this vulnerability to
us." [1]
"Sensitive Data Disclosure in Sidekiq Logs
The project import url credentials were being output to the Sidekiq
logs. The issue is now resolved in the latest release and will be
assigned a CVE shortly.
Thanks to @kevinksd and @Johlandabee for responsibly reporting this
vulnerability to us." [1]
"Missing CSRF in System Hooks
There is a CSRF Vulnerability which allows an attacker to resend
requests to multiple hooks. The "resend request" CSRF token is
missing. For this reason attacker can trick user of gitlab to perform
an unwanted action on a System Hook for which the user is currently
authenticated.
Thanks to Lyubomir Tsirkov for responsibly reporting this
vulnerability to us." [1]
"Orphaned Upload Files Exposure
Through various bugs, it is possible to orphan a project upload file
so that it is not tracked by the uploads table. If the project is
moved, then it is possible for another user to create a new project
with the same path. Exporting that project will contain the orphaned
file, and thus exposing data. The issue is now resolved in the latest
release and will be assigned a CVE shortly." [1]
"Missing Authorization Control API Repository Storage
Regular users are currently able to change the repository storage
value using the API. The issue is now resolved in the latest release
and will be assigned a CVE shortly." [1]
MITIGATION
GitLab versions 11.2.3, 11.1.6, and 11.0.6 have been released which
address this vulnerability.
The vendor advises:
"Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible." [1]
REFERENCES
[1] GitLab Security Release: 11.2.3, 11.1.6, and 11.0.6
https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW4jBd2aOgq3Tt24GAQiSkA/8Dx6fCSN5MYJnzoFMk4ejgWEVb0sagoiq
rdTHgujsBylt4gevydQr34z3KqcP9nu8pWQugL7yWXTrOXj/LmDgemhtKigzLI80
gMpU2+pEenJ4sjCEMQm59eJoWaQFTn8fb9UTmyYGpmvcRDKgvmcBa0yMAOyvtYE3
yIUm7VTwSp1LzhOSM5FLmrzMciBXwQmsMh+G8Rg01CcdZLxWrHJYKgL1YqmPPmQm
vItDq6evsj2LdKFuN+9zIAPUZTyALXl6hd8BsRFWwCXyCkchEFXIZMeHmz0TYLAK
1S2mHrkrU5HP1o1YQNWBR4NOIHFmAEoqHtgXBSOxexdWyf0P4dJ8REB/iFVg5a7+
nEqIRweuhh4L3ld7aAPZtqZ1mSvGbos0++J60XwxZXddNaZHepPlybWleejXAU7+
LJT0QU5LlkGbyMXy62ii0ugBhCBrgITOqrdwPUH0prH4irRg/Wgf39R7f21f7Wt7
anJ4DNG8ft88OpUagsHCXY19PDQB0MJlyPQciTZNfGXDVlXwNImQKNlE+JTXJ4dg
PJttUxnar7CTcdTW2p8lmnvvp2mdpaSu6mOX6IVQOiRNJUXd+wdbmYtN8704kl3j
rx6yXQ1kNgU8n4FHbKVyLV+ua0ap2Om7HMLVdatAUMZTo5f3dHRM7ddbYcvhNxv1
RtaA0DSoMbs=
=v51R
-----END PGP SIGNATURE-----