Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1073
GitLab security fixes included in versions 12.9.1, 12.8.8 and 12.7.8
27 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition
GitLab Enterprise Edition
Publisher: GitLab
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Virtualisation
Impact/Access: Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Existing Account
Access Confidential Data -- Existing Account
Unauthorised Access -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2020-10956 CVE-2020-10955 CVE-2020-10954
CVE-2020-10953 CVE-2020-10952 CVE-2020-9795
CVE-2019-20454
Original Bulletin:
https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
- --------------------------BEGIN INCLUDED TEXT--------------------
GitLab Security Release: 12.9.1, 12.8.8, and 12.7.8
Today we are releasing versions 12.9.1, 12.8.8, and 12.7.8 for GitLab Community
Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
The vulnerability details will be made public on our issue tracker in
approximately 30 days.
Please read on for more information regarding this release.
Arbitrary File Read when Moving an Issue
An arbitrary local file read was possible when an moving issues between
projects. This issue is now mitigated in the latest release and a CVE will be
assigned shortly.
Thanks @vakzz for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.5 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Path Traversal in NPM Package Registry
The NPM package registry was vulnerable to a path traversal issue. This issue
is now mitigated in the latest release and is assigned CVE-2020-10953
Thanks @nyangawa for responsibly reporting this vulnerability to us.
Versions Affected
Affected Versions to be added shortly.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
SSRF on Project Import
An SSRF issue was discovered in the project import note feature. This issue is
now mitigated in the latest release and is assigned CVE-2020-10956.
Thanks @vakzz for responsibly reporting this vulnerability to us.
Versions Affected
Affected Versions to be added shortly.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
External Users Can Create Personal Snippet
Insufficient access verification lead to unauthorized creation of personal
snippets through the API by an external user. This issue is now mitigated in
the latest release and a CVE will be assigned shortly.
Thanks the GitLab team for finding and reporting this issue.
Versions Affected
Affected Versions to be added shortly
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Triggers Decription Can be Updated by Other Maintainers in Project
A maintainer can modify other maintainers' pipeline trigger descriptions within
the same project. This issue is now mitigated in the latest release and a CVE
will be assigned shortly.
Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 9.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Information Disclosure on Confidential Issues Moved to Private Programs
Issues opened in a public project and then moved to a private project reveal
the private project namespace through Web-UI and GraphQL API. This issue is now
mitigated in the latest release and a CVE will be assigned shortly.
Thanks @0xwintermute for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.11 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Potential DoS in Repository Archive Download
Repository archives download could be abused to cause large resource
consumption on an instance. This issue is now mitigated in the latest release
and is assigned CVE-2020-10954.
Thanks the GitLab team for finding and reporting this issue.
Versions Affected
Affected Versions to be added shortly.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Blocked Users Can Still Pull/Push Docker Images
Under certain circumstances a blocked user still had the ability to pull images
from the internal container registry of any projects to which the user had
access. This issue is now mitigated in the latest release and is assigned
CVE-2020-10952.
Thanks @logan5 for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.11 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Repository Mirroring not Disabled when Feature not Activated
A project repository could still be mirrored when the feature was not enabled.
This issue is now mitigated in the latest release and a CVE will be assigned
shortly.
Thanks @adam__b for responsibly reporting this vulnerability to us.
Versions Affected
Affected Versions to be added shortly.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Vulnerability Feedback Page Was Leaking Information on Vulnerabilities
The vulnerability feedback page was leaking metadata and comments on
vulnerabilities to unauthorized users. This issue is now mitigated in the
latest release and a CVE will be assigned shortly.
Thanks @rpadovani for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 10.8 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Stored XSS Vulnerability in Admin Feature
A stored XSS vulnerability was discovered in an admin notification feature.
This issue is now mitigated in the latest release and a CVE will be assigned
shortly.
Thanks the GitLab team for finding and reporting this issue.
Versions Affected
Affected Versions to be added shortly.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Upload Feature Allowed a User to Read Unauthorized Exported Files
The upload feature was vulnerable to parameter tampering allowing and
unauthorized user to read content available under specific folders. This issue
is now mitigated in the latest release and is assigned CVE-2020-10955.
Thanks @manassehzhou for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 11.1 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Unauthorized Users Are Able to See CI Metrics
Restricted CI pipelines metrics could be seen by members even if the pipeline
was restricted. This issue is now mitigated in the latest release and a CVE
will be assigned shortly.
Thanks @xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 11.10 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Last Pipeline Status of a Merge Request Leaked
The last status of a restricted pipeline was returned through a query in the
merge request widget. This issue is now mitigated in the latest release and a
CVE will be assigned shortly.
Thanks @xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.17 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Blind SSRF on FogBugz
A blind SSRF was discovered in the FogBugz integration. This issue is now
mitigated in the latest release and a CVE will be assigned shortly.
Thanks @ngalog for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Update Nokogiri dependency
The Nokogiri dependency has been upgraded to 1.10.8. This upgrade include a
security fix for CVE-2020-9795.
Versions Affected
Affects all previous versions of GitLab CE/EE.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Update Pcre2 dependency
The pcre2 dependency has been upgraded to 10.34. This upgrade include a
security fix for CVE-2019-20454.
Versions Affected
Affects all previous versions of GitLab CE/EE.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Updating
To update GitLab, see the Update page.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXn1ioWaOgq3Tt24GAQi86A//c6FlugflXOctwkEOQiPcA0kUQx/aLhor
aZexUQEgEUyyNbBYaqb1HKzOV2NtkCyUqcH0lkt2lyBG5ZNKeCLy546gVNtiZnT0
xiB5JptGVf6r0f7+t+TDIw7s/ii38nb4vXg0Fot23Xtj+duUTWFVq4WZtG/JTgl8
8hXATNABSLJVah5ROiIqIvqXGPwXXFdlS2+AA7Ln9k+Z6C0crZMmG9iPRe5+8zjD
Usp1rCM0doZXo1+UdGH6op2MiytKGdokCTNbBoz6NOa1ms19omWAnIE+w92qybBO
1HAwV5UejoO12za/A1GdId1kYzH58vNiDpOQlqQFaEQsuFxaYTrJFBYADtZAcHKP
A7xGTXS4LUIH/9o4XZ68pmNEFOE+kNtZIDkwcBrTd/dSy3eqAaYIdplzLJeqSAju
uYgDoPO81it5/iaN+U5TjbUGk9Sq0b6G5uOciAqARv57NwOPQlasvZIzAASS8MEA
cbypaZDKFejuIOnGlp8Ng2N+re+t5goicY7QkKYMpelACPn0alpGI3HPxJ0odwi8
PthKJ0eW1rNfISmK5burwEHeJfZGkjWQZJW0dvoaWLbgNvEN29juELorQTIIL6tq
k8jCI/JYIHkETX3iKIlw5kzRKHctZgb75hzFcIh5YXnOHzcSfCtLm6SVNSyldIQY
/RjVuXbPSrs=
=iVs9
-----END PGP SIGNATURE-----