Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2484
GitLab Security Release: 12.0.3, 11.11.5, and 11.10.8
8 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab CE/EE
Publisher: Gitlab
Operating System: BSD variants
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Modify Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-13121 CVE-2019-13011 CVE-2019-13010
CVE-2019-13009 CVE-2019-13007 CVE-2019-13006
CVE-2019-13005 CVE-2019-13004 CVE-2019-13003
CVE-2019-13002 CVE-2019-13001
Original Bulletin:
https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/
- --------------------------BEGIN INCLUDED TEXT--------------------
Today we are releasing versions 12.0.3, 11.11.5, and 11.10.8 for GitLab
Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend
that all GitLab installations be upgraded to one of these versions
immediately.
The vulnerability details will be made public on our issue tracker in
approximately 30 days.
Please read on for more information regarding this release.
Ability to Write a Note to a Private Snippet
GitLab Snippets were vulnerable to an authorization issue that allowed
unauthorized users to add comments to a private snippet. The issue is now
mitigated in the latest release and is assigned CVE-2019-13001.
Thanks to @executor for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 11.9 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Recent Pipeline Information Disclosed to Unauthorised Users
Unauthorised users were able to read pipeline information of the last merge
request. The issue is now mitigated in the latest release and is assigned
CVE-2019-13002.
Thanks to @xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 11.10 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Resource Exhaustion Attack
One of the parsers used by Gilab CI was vulnerable to a resource exhaustion
attack. The issue is now mitigated in the latest release and is assigned
CVE-2019-13003.
Thanks to @leipert for responsibly reporting this vulnerability to us.
Versions Affected
Affects all versions of GitLab CE/EE.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Error Caused by Encoded Characters in Comments
When specific encoded characters were added to comments, the comments section
would become inaccessible. The issue is now mitigated in the latest release
and is assigned CVE-2019-13004.
Thanks to @newbiemole for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 11.1 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Authorization Issues in GraphQL
The GitLab graphql service was vulnerable to multiple authorization issues
that disclosed restricted user, group, and repository metadata to unauthorized
users. The issue is now mitigated in the latest release and is assigned
CVE-2019-13005.
Thanks to @rpadovani and @xanbanx for responsibly reporting this vulnerability
to us.
Versions Affected
Affects GitLab CE/EE 11.10 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Number of Merge Requests was Accessible
Users with access to issues, but not the repository were able to view the
number of related merge requests on an issue. The issue is now mitigated in
the latest release and is assigned CVE-2019-13006.
Thanks to @xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 9.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Enabling One of the Service Templates Could Cause Resource Depletion
When an admin enabled one of the service templates, it was triggering an
action that leads to resource depletion. The issue is now mitigated in the
latest release and is assigned CVE-2019-13007.
Versions Affected
Affects GitLab CE/EE 11.11 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Broken Access Control for the Content of Personal Snippets
Uploaded files associated with unsaved personal snippets were accessible to
unauthorized users due to improper permission settings. The issue is now
mitigated in the latest release and is assigned CVE-2019-13009.
Thanks to @mkozono for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 9.2 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible
Decoding Color Codes Caused Resource Depletion
The color codes decoder was vulnerable to a resource depletion attack if
specific formats were used. The issue is now mitigated in the latest release
and is assigned CVE-2019-13010.
Thanks to @8ayac for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 8.3 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible
Merge Request Template Name Disclosure
By using brute-force a user with access to a project, but not it's repository
could create a list of merge requests template names. The issue is now
mitigated in the latest release and is assigned CVE-2019-13011.
Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab EE 8.11.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible
SSRF Vulnerability in Project GitHub Integration
The GitHub project integration was vulnerable to an SSRF vulnerability which
allowed an attacker to make requests to local network resources. The issue is
now mitigated in the latest release and is assigned CVE-CVE-2019-13121.
Thanks to @ngalog for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE 10.6 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible
Updating
To update GitLab, see the Update page.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXSKMr2aOgq3Tt24GAQjVhBAAl7vKGcNSXt1G2Q1zoKAEN9phhpjea/Zg
QHRe2fq/45hygXajHKhFRjlgv1Mccb7KnHiobUA0gNSb9p7WrCR6jUiai8L1SPB1
kTeJkYc3oeLGb2lkyRceEt+W89sycE5CfbSWeTN7yFmhG1HH+1ShfoWPn7HdFZWo
PMLVUF//NGVxalhgwJE0vIr6r7qzqwrRrnpV5oKKJ2KJ3wS6g643iUiFbXF7OkCc
4HAxGtBI8gSfuhy1CY4/G7cm+4+YXuBgIL8rekNQq1i+/1Cz6uiILQsuwaDnI2RL
cbwKTKQ68aJ4ardV3L0MAbpch+iZzHZkW75JTo28PTS1Z0T8xK5eiYT6U7cdghxh
XVMZeJISVVwsA7d+I0/4zurb+MqhcJdFshED+KIRB+0ZXBou7LxH6PlCcC3pMm4K
MS4NDRCCOvRGcB7CAFPwqX3quEUdybbNTnCWqc6wA9fLPJhGXtE5LTd/qaOjj1i6
IGZ1ouCjUkoEUe+4a65l7Il89Wzr2pR2bjR831MsjL/iCNt+Ksn8E+WW7W/2QTDY
/qMY89nYcQpfBSkME2cbeEi7fg7pyiBdPVCvCRUAl8/2tSI0E9cXwQ6Wpfvhr+eA
50VfOMKtoZ0jd9U0nNVXmi+kBk32zhMkaW/UVYKQR1uRdxQQaZr/ALnzUALEgmIc
YFodAnxUNV0=
=tOxy
-----END PGP SIGNATURE-----