Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0226 GitLab Security Release: 12.1.2, 12.0.4, and 11.11.7 2 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition GitLab Enterprise Edition Operating System: Linux variants Windows Impact/Access: Create Arbitrary Files -- Existing Account Cross-site Scripting -- Existing Account Denial of Service -- Existing Account Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-5474 CVE-2019-5473 CVE-2019-5472 CVE-2019-5471 CVE-2019-5470 CVE-2019-5469 CVE-2019-5468 CVE-2019-5467 CVE-2019-5466 CVE-2019-5465 CVE-2019-5464 CVE-2019-5463 CVE-2019-5462 CVE-2019-5461 Member content until: Sunday, September 1 2019 OVERVIEW Multiple vulnerabilities have been addressed in GitLab versions 12.1.2, 12.0.4, and 11.11.7. [1] IMPACT The vendor has supplied the following information regarding the vulnerabilities: "GitHub Integration SSRF An input validation problem was discovered in the GitHub service integration which could result in an attacker being able to make arbitrary POST requests in a GitLab instance's internal network. The issue is now mitigated in the latest release and is assigned CVE-2019-5461. Thanks to @jobert for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 10.6 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Trigger Token Impersonation An authorization issue was discovered when trigger tokens are not rotated once ownership of them has changed. The issue is now mitigated in the latest release and is assigned CVE-2019-5462. Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 9.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Build Status Disclosure An authorization issue was discovered in the CI badge images endpoint which could result in disclosure of the build status. The issue is now mitigated in the latest release and is assigned CVE-2019-5463. Thanks to @xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab CE/EE versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. SSRF Mitigation Bypass A flawed DNS rebinding protection issue was discovered in url_blocker.rb which could result in SSRF where the library is utilized. The issue is now mitigated in the latest release and is assigned CVE-2019-5464. Thanks to @mclaren650sspider for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 10.2 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Information Disclosure New Issue ID An authorization issue was discovered in the move issue feature which could result in disclosure of the newly created issue ID. The issue is now mitigated in the latest release and is assigned CVE-2019-5465. Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 8.14 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. IDOR Label Name Enumeration An IDOR was discovered in the new merge requests endpoint which could result in disclosure of label names. The issue is now mitigated in the latest release and is assigned CVE-2019-5466. Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 11.5 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Persistent XSS Wiki Pages An input validation and output encoding issue was discovered in the wiki pages feature which could result in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2019-5467. Thanks to @ryhmnlfj for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 11.10 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. User Revokation Bypass with Mattermost Integration An authorization issue was discovered when Mattermost slash commands are used with a blocked account. The issue is now mitigated in the latest release and is assigned CVE-2019-5468. Thanks to @logan5 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 8.14 command service and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Arbitrary File Upload via Import Project Archive A file upload issue was discovered when importing a project archive. The issue is now mitigated in the latest release and is assigned CVE-2019-5469. Thanks to @ajxchapman for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 10.5 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Information Disclosure Vulnerability Feedback An authorization issue was discovered in the security dashboard which could result in disclosure of vulnerability feedback information. The issue is now mitigated in the latest release and is assigned CVE-2019-5470. Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 10.8 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Persistent XSS via Email An input validation and output encoding issue was discovered in the email notification feature which could result in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2019-5471. Thanks to @mario-areias for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 8.9 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Denial Of Service Epic Comments An authorization issue was discovered that forbid to delete epic comments. The issue is now mitigated in the latest release and is assigned CVE-2019-5472. Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab EE 10.7 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Email Verification Bypass An authentication issue was discovered that allowed to bypass email verification. The issue is now mitigated in the latest release and is assigned CVE-2019-5473. Thanks to @ngalog for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 12.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Override Merge Request Approval Rules An authorization issue was discovered in the merge request approval rules. The issue is now mitigated in the latest release and is assigned CVE-2019-5474. Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 11.8 and later." [1] MITIGATION The vendor recommends upgrading to the latest release as soon as possible. REFERENCES [1] GitLab Security Release: 12.1.2, 12.0.4, and 11.11.7 https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXUPA3GaOgq3Tt24GAQjWwxAAs4AvfRUSv2qwXXbrb5wDi/y3Jp2z3dgq dgdcCbryrvtxiFStAfis6SFjk30R2bOTi+Omco3e8AN9my7C6Nd29CkCvusNGEUF NvP70P/uQMhG2VoM+jLRyaF2xXYgwndXFaWSz+7s1/b6RAOnQuQv/xMABm76R+Ss HNUiDgox30vldfw+tS62h0B60ZX0OoxVzsDqUGqqniZ6lIFPTax5uA1Z8rZW1/3b UV5AHI+0qgb+S13vpnY5sXeSZcu/IFi+cv/Rjq/Xctc0M1TGMph+6ZQLjEGTfgPX aC7bANFiEUFjlWnIz9v2q3GpDA7ppY1C6flM0VyIyUfiI8jYNSqDWGqB5rk+v0gr ucrVu54a/yLmR4/dcUt+qMVWiWXtHMxo+WL9XssG9PP1V3+Zc2TMGIepdqRad6aL 8cw3z+4rAknjF8Yp9WQtuLCPMe4XKgAhoZdoIRCBuOE/TE5lozpdFSUoXpGLlvDJ 4fwafkD4oh6ul8A3ZlKjZYlfqTSFisrsrnoGtQP3wVtM8CoE91VVACUqzzGjLAhW o72PBxsJsl3DY7D/YmK8Tyqrs5qa5goyFRN1gHhFi8VIY0PQoqQHyiR5NpAFiHzY s/PPIb5UZxg6ZRHCZRCyCR1EF5Rex9DvXzZhVuRt/EksZSVwVcG/zd6FAvkQXOSW BAzlsM3NCaQ= =OQwo -----END PGP SIGNATURE-----