Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1073 GitLab security fixes included in versions 12.9.1, 12.8.8 and 12.7.8 27 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition GitLab Enterprise Edition Publisher: GitLab Operating System: Windows UNIX variants (UNIX, Linux, OSX) Virtualisation Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Existing Account Access Confidential Data -- Existing Account Unauthorised Access -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-10956 CVE-2020-10955 CVE-2020-10954 CVE-2020-10953 CVE-2020-10952 CVE-2020-9795 CVE-2019-20454 Original Bulletin: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- GitLab Security Release: 12.9.1, 12.8.8, and 12.7.8 Today we are releasing versions 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. The vulnerability details will be made public on our issue tracker in approximately 30 days. Please read on for more information regarding this release. Arbitrary File Read when Moving an Issue An arbitrary local file read was possible when an moving issues between projects. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks @vakzz for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 8.5 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Path Traversal in NPM Package Registry The NPM package registry was vulnerable to a path traversal issue. This issue is now mitigated in the latest release and is assigned CVE-2020-10953 Thanks @nyangawa for responsibly reporting this vulnerability to us. Versions Affected Affected Versions to be added shortly. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. SSRF on Project Import An SSRF issue was discovered in the project import note feature. This issue is now mitigated in the latest release and is assigned CVE-2020-10956. Thanks @vakzz for responsibly reporting this vulnerability to us. Versions Affected Affected Versions to be added shortly. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. External Users Can Create Personal Snippet Insufficient access verification lead to unauthorized creation of personal snippets through the API by an external user. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks the GitLab team for finding and reporting this issue. Versions Affected Affected Versions to be added shortly Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Triggers Decription Can be Updated by Other Maintainers in Project A maintainer can modify other maintainers' pipeline trigger descriptions within the same project. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 9.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Information Disclosure on Confidential Issues Moved to Private Programs Issues opened in a public project and then moved to a private project reveal the private project namespace through Web-UI and GraphQL API. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks @0xwintermute for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 8.11 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Potential DoS in Repository Archive Download Repository archives download could be abused to cause large resource consumption on an instance. This issue is now mitigated in the latest release and is assigned CVE-2020-10954. Thanks the GitLab team for finding and reporting this issue. Versions Affected Affected Versions to be added shortly. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Blocked Users Can Still Pull/Push Docker Images Under certain circumstances a blocked user still had the ability to pull images from the internal container registry of any projects to which the user had access. This issue is now mitigated in the latest release and is assigned CVE-2020-10952. Thanks @logan5 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 8.11 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Repository Mirroring not Disabled when Feature not Activated A project repository could still be mirrored when the feature was not enabled. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks @adam__b for responsibly reporting this vulnerability to us. Versions Affected Affected Versions to be added shortly. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Vulnerability Feedback Page Was Leaking Information on Vulnerabilities The vulnerability feedback page was leaking metadata and comments on vulnerabilities to unauthorized users. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks @rpadovani for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 10.8 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Stored XSS Vulnerability in Admin Feature A stored XSS vulnerability was discovered in an admin notification feature. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks the GitLab team for finding and reporting this issue. Versions Affected Affected Versions to be added shortly. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Upload Feature Allowed a User to Read Unauthorized Exported Files The upload feature was vulnerable to parameter tampering allowing and unauthorized user to read content available under specific folders. This issue is now mitigated in the latest release and is assigned CVE-2020-10955. Thanks @manassehzhou for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 11.1 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Unauthorized Users Are Able to See CI Metrics Restricted CI pipelines metrics could be seen by members even if the pipeline was restricted. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks @xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 11.10 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Last Pipeline Status of a Merge Request Leaked The last status of a restricted pipeline was returned through a query in the merge request widget. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks @xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 8.17 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Blind SSRF on FogBugz A blind SSRF was discovered in the FogBugz integration. This issue is now mitigated in the latest release and a CVE will be assigned shortly. Thanks @ngalog for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 8.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Update Nokogiri dependency The Nokogiri dependency has been upgraded to 1.10.8. This upgrade include a security fix for CVE-2020-9795. Versions Affected Affects all previous versions of GitLab CE/EE. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Update Pcre2 dependency The pcre2 dependency has been upgraded to 10.34. This upgrade include a security fix for CVE-2019-20454. Versions Affected Affects all previous versions of GitLab CE/EE. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Updating To update GitLab, see the Update page. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXn1ioWaOgq3Tt24GAQi86A//c6FlugflXOctwkEOQiPcA0kUQx/aLhor aZexUQEgEUyyNbBYaqb1HKzOV2NtkCyUqcH0lkt2lyBG5ZNKeCLy546gVNtiZnT0 xiB5JptGVf6r0f7+t+TDIw7s/ii38nb4vXg0Fot23Xtj+duUTWFVq4WZtG/JTgl8 8hXATNABSLJVah5ROiIqIvqXGPwXXFdlS2+AA7Ln9k+Z6C0crZMmG9iPRe5+8zjD Usp1rCM0doZXo1+UdGH6op2MiytKGdokCTNbBoz6NOa1ms19omWAnIE+w92qybBO 1HAwV5UejoO12za/A1GdId1kYzH58vNiDpOQlqQFaEQsuFxaYTrJFBYADtZAcHKP A7xGTXS4LUIH/9o4XZ68pmNEFOE+kNtZIDkwcBrTd/dSy3eqAaYIdplzLJeqSAju uYgDoPO81it5/iaN+U5TjbUGk9Sq0b6G5uOciAqARv57NwOPQlasvZIzAASS8MEA cbypaZDKFejuIOnGlp8Ng2N+re+t5goicY7QkKYMpelACPn0alpGI3HPxJ0odwi8 PthKJ0eW1rNfISmK5burwEHeJfZGkjWQZJW0dvoaWLbgNvEN29juELorQTIIL6tq k8jCI/JYIHkETX3iKIlw5kzRKHctZgb75hzFcIh5YXnOHzcSfCtLm6SVNSyldIQY /RjVuXbPSrs= =iVs9 -----END PGP SIGNATURE-----