Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0226
GitLab Security Release: 12.1.2, 12.0.4, and 11.11.7
2 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition
GitLab Enterprise Edition
Operating System: Linux variants
Windows
Impact/Access: Create Arbitrary Files -- Existing Account
Cross-site Scripting -- Existing Account
Denial of Service -- Existing Account
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5474 CVE-2019-5473 CVE-2019-5472
CVE-2019-5471 CVE-2019-5470 CVE-2019-5469
CVE-2019-5468 CVE-2019-5467 CVE-2019-5466
CVE-2019-5465 CVE-2019-5464 CVE-2019-5463
CVE-2019-5462 CVE-2019-5461
Member content until: Sunday, September 1 2019
OVERVIEW
Multiple vulnerabilities have been addressed in GitLab versions
12.1.2, 12.0.4, and 11.11.7. [1]
IMPACT
The vendor has supplied the following information regarding the
vulnerabilities:
"GitHub Integration SSRF
An input validation problem was discovered in the GitHub service
integration which could result in an attacker being able to make
arbitrary POST requests in a GitLab instance's internal network. The
issue is now mitigated in the latest release and is assigned
CVE-2019-5461.
Thanks to @jobert for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab CE/EE 10.6 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Trigger Token Impersonation
An authorization issue was discovered when trigger tokens are not
rotated once ownership of them has changed. The issue is now
mitigated in the latest release and is assigned CVE-2019-5462.
Thanks to @ashish_r_padelkar for responsibly reporting this
vulnerability to us.
Versions Affected
Affects GitLab CE/EE 9.0 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Build Status Disclosure
An authorization issue was discovered in the CI badge images
endpoint which could result in disclosure of the build status. The
issue is now mitigated in the latest release and is assigned
CVE-2019-5463.
Thanks to @xanbanx for responsibly reporting this vulnerability to
us.
Versions Affected
Affects all previous GitLab CE/EE versions.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
SSRF Mitigation Bypass
A flawed DNS rebinding protection issue was discovered in
url_blocker.rb which could result in SSRF where the library is
utilized. The issue is now mitigated in the latest release and is
assigned CVE-2019-5464.
Thanks to @mclaren650sspider for responsibly reporting this
vulnerability to us.
Versions Affected
Affects GitLab CE/EE 10.2 and later. Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Information Disclosure New Issue ID
An authorization issue was discovered in the move issue feature
which could result in disclosure of the newly created issue ID. The
issue is now mitigated in the latest release and is assigned
CVE-2019-5465.
Thanks to @ashish_r_padelkar for responsibly reporting this
vulnerability to us.
Versions Affected
Affects GitLab CE/EE 8.14 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
IDOR Label Name Enumeration
An IDOR was discovered in the new merge requests endpoint which
could result in disclosure of label names. The issue is now
mitigated in the latest release and is assigned CVE-2019-5466.
Thanks to @ashish_r_padelkar for responsibly reporting this
vulnerability to us.
Versions Affected
Affects GitLab CE/EE 11.5 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Persistent XSS Wiki Pages
An input validation and output encoding issue was discovered in the
wiki pages feature which could result in a persistent XSS. The issue
is now mitigated in the latest release and is assigned
CVE-2019-5467.
Thanks to @ryhmnlfj for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab CE/EE 11.10 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
User Revokation Bypass with Mattermost Integration
An authorization issue was discovered when Mattermost slash commands
are used with a blocked account. The issue is now mitigated in the
latest release and is assigned CVE-2019-5468.
Thanks to @logan5 for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab CE/EE 8.14 command service and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible. Arbitrary File Upload via Import Project Archive
A file upload issue was discovered when importing a project archive.
The issue is now mitigated in the latest release and is assigned
CVE-2019-5469.
Thanks to @ajxchapman for responsibly reporting this vulnerability
to us.
Versions Affected
Affects GitLab CE/EE 10.5 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Information Disclosure Vulnerability Feedback
An authorization issue was discovered in the security dashboard
which could result in disclosure of vulnerability feedback
information. The issue is now mitigated in the latest release and is
assigned CVE-2019-5470.
Thanks to @ashish_r_padelkar for responsibly reporting this
vulnerability to us.
Versions Affected
Affects GitLab CE/EE 10.8 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Persistent XSS via Email
An input validation and output encoding issue was discovered in the
email notification feature which could result in a persistent XSS.
The issue is now mitigated in the latest release and is assigned
CVE-2019-5471.
Thanks to @mario-areias for responsibly reporting this vulnerability
to us.
Versions Affected
Affects GitLab EE 8.9 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Denial Of Service Epic Comments
An authorization issue was discovered that forbid to delete epic
comments. The issue is now mitigated in the latest release and is
assigned CVE-2019-5472.
Thanks to @ashish_r_padelkar for responsibly reporting this
vulnerability to us.
Versions Affected
Affects all previous GitLab EE 10.7 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Email Verification Bypass
An authentication issue was discovered that allowed to bypass email
verification. The issue is now mitigated in the latest release and
is assigned CVE-2019-5473.
Thanks to @ngalog for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab EE 12.0 and later.
Remediation
We strongly recommend that all installations running an affected
version above are upgraded to the latest version as soon as
possible.
Override Merge Request Approval Rules
An authorization issue was discovered in the merge request approval
rules. The issue is now mitigated in the latest release and is
assigned CVE-2019-5474.
Thanks to @ashish_r_padelkar for responsibly reporting this
vulnerability to us.
Versions Affected
Affects GitLab EE 11.8 and later." [1]
MITIGATION
The vendor recommends upgrading to the latest release as soon as possible.
REFERENCES
[1] GitLab Security Release: 12.1.2, 12.0.4, and 11.11.7
https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXUPA3GaOgq3Tt24GAQjWwxAAs4AvfRUSv2qwXXbrb5wDi/y3Jp2z3dgq
dgdcCbryrvtxiFStAfis6SFjk30R2bOTi+Omco3e8AN9my7C6Nd29CkCvusNGEUF
NvP70P/uQMhG2VoM+jLRyaF2xXYgwndXFaWSz+7s1/b6RAOnQuQv/xMABm76R+Ss
HNUiDgox30vldfw+tS62h0B60ZX0OoxVzsDqUGqqniZ6lIFPTax5uA1Z8rZW1/3b
UV5AHI+0qgb+S13vpnY5sXeSZcu/IFi+cv/Rjq/Xctc0M1TGMph+6ZQLjEGTfgPX
aC7bANFiEUFjlWnIz9v2q3GpDA7ppY1C6flM0VyIyUfiI8jYNSqDWGqB5rk+v0gr
ucrVu54a/yLmR4/dcUt+qMVWiWXtHMxo+WL9XssG9PP1V3+Zc2TMGIepdqRad6aL
8cw3z+4rAknjF8Yp9WQtuLCPMe4XKgAhoZdoIRCBuOE/TE5lozpdFSUoXpGLlvDJ
4fwafkD4oh6ul8A3ZlKjZYlfqTSFisrsrnoGtQP3wVtM8CoE91VVACUqzzGjLAhW
o72PBxsJsl3DY7D/YmK8Tyqrs5qa5goyFRN1gHhFi8VIY0PQoqQHyiR5NpAFiHzY
s/PPIb5UZxg6ZRHCZRCyCR1EF5Rex9DvXzZhVuRt/EksZSVwVcG/zd6FAvkQXOSW
BAzlsM3NCaQ=
=OQwo
-----END PGP SIGNATURE-----