Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2484 GitLab Security Release: 12.0.3, 11.11.5, and 11.10.8 8 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab CE/EE Publisher: Gitlab Operating System: BSD variants UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Modify Arbitrary Files -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-13121 CVE-2019-13011 CVE-2019-13010 CVE-2019-13009 CVE-2019-13007 CVE-2019-13006 CVE-2019-13005 CVE-2019-13004 CVE-2019-13003 CVE-2019-13002 CVE-2019-13001 Original Bulletin: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- Today we are releasing versions 12.0.3, 11.11.5, and 11.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. The vulnerability details will be made public on our issue tracker in approximately 30 days. Please read on for more information regarding this release. Ability to Write a Note to a Private Snippet GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. The issue is now mitigated in the latest release and is assigned CVE-2019-13001. Thanks to @executor for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 11.9 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Recent Pipeline Information Disclosed to Unauthorised Users Unauthorised users were able to read pipeline information of the last merge request. The issue is now mitigated in the latest release and is assigned CVE-2019-13002. Thanks to @xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 11.10 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Resource Exhaustion Attack One of the parsers used by Gilab CI was vulnerable to a resource exhaustion attack. The issue is now mitigated in the latest release and is assigned CVE-2019-13003. Thanks to @leipert for responsibly reporting this vulnerability to us. Versions Affected Affects all versions of GitLab CE/EE. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Error Caused by Encoded Characters in Comments When specific encoded characters were added to comments, the comments section would become inaccessible. The issue is now mitigated in the latest release and is assigned CVE-2019-13004. Thanks to @newbiemole for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 11.1 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Authorization Issues in GraphQL The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. The issue is now mitigated in the latest release and is assigned CVE-2019-13005. Thanks to @rpadovani and @xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 11.10 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Number of Merge Requests was Accessible Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. The issue is now mitigated in the latest release and is assigned CVE-2019-13006. Thanks to @xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 9.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Enabling One of the Service Templates Could Cause Resource Depletion When an admin enabled one of the service templates, it was triggering an action that leads to resource depletion. The issue is now mitigated in the latest release and is assigned CVE-2019-13007. Versions Affected Affects GitLab CE/EE 11.11 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Broken Access Control for the Content of Personal Snippets Uploaded files associated with unsaved personal snippets were accessible to unauthorized users due to improper permission settings. The issue is now mitigated in the latest release and is assigned CVE-2019-13009. Thanks to @mkozono for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 9.2 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible Decoding Color Codes Caused Resource Depletion The color codes decoder was vulnerable to a resource depletion attack if specific formats were used. The issue is now mitigated in the latest release and is assigned CVE-2019-13010. Thanks to @8ayac for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 8.3 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible Merge Request Template Name Disclosure By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. The issue is now mitigated in the latest release and is assigned CVE-2019-13011. Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 8.11.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible SSRF Vulnerability in Project GitHub Integration The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local network resources. The issue is now mitigated in the latest release and is assigned CVE-CVE-2019-13121. Thanks to @ngalog for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 10.6 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible Updating To update GitLab, see the Update page. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSKMr2aOgq3Tt24GAQjVhBAAl7vKGcNSXt1G2Q1zoKAEN9phhpjea/Zg QHRe2fq/45hygXajHKhFRjlgv1Mccb7KnHiobUA0gNSb9p7WrCR6jUiai8L1SPB1 kTeJkYc3oeLGb2lkyRceEt+W89sycE5CfbSWeTN7yFmhG1HH+1ShfoWPn7HdFZWo PMLVUF//NGVxalhgwJE0vIr6r7qzqwrRrnpV5oKKJ2KJ3wS6g643iUiFbXF7OkCc 4HAxGtBI8gSfuhy1CY4/G7cm+4+YXuBgIL8rekNQq1i+/1Cz6uiILQsuwaDnI2RL cbwKTKQ68aJ4ardV3L0MAbpch+iZzHZkW75JTo28PTS1Z0T8xK5eiYT6U7cdghxh XVMZeJISVVwsA7d+I0/4zurb+MqhcJdFshED+KIRB+0ZXBou7LxH6PlCcC3pMm4K MS4NDRCCOvRGcB7CAFPwqX3quEUdybbNTnCWqc6wA9fLPJhGXtE5LTd/qaOjj1i6 IGZ1ouCjUkoEUe+4a65l7Il89Wzr2pR2bjR831MsjL/iCNt+Ksn8E+WW7W/2QTDY /qMY89nYcQpfBSkME2cbeEi7fg7pyiBdPVCvCRUAl8/2tSI0E9cXwQ6Wpfvhr+eA 50VfOMKtoZ0jd9U0nNVXmi+kBk32zhMkaW/UVYKQR1uRdxQQaZr/ALnzUALEgmIc YFodAnxUNV0= =tOxy -----END PGP SIGNATURE-----