Operating System:

[WIN][UNIX/Linux][Virtual]

Published:

15 April 2020

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2020.1303 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1303
       GitLab Critical Security Release: 12.9.3, 12.8.9, and 12.7.9
                               15 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GitLab Community Edition
                   GitLab Enterprise Edition
Publisher:         GitLab
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   Virtualisation
Impact/Access:     Access Confidential Data -- Remote with User Interaction
                   Cross-site Scripting     -- Remote with User Interaction
                   Unauthorised Access      -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11649 CVE-2020-11506 CVE-2020-11505
                   CVE-2019-16782  

Reference:         ESB-2020.0458
                   ESB-2020.0029

Original Bulletin: 
   https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/

- --------------------------BEGIN INCLUDED TEXT--------------------

GitLab Critical Security Release: 12.9.3, 12.8.9, and 12.7.9

Today we are releasing versions 12.9.3, 12.8.9, and 12.7.9 for GitLab Community
Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in
approximately 30 days.

Please read on for more information regarding this release.

NuGet Package and File Disclosure through GitLab Workhorse

An internal investigation revealed that a particular header could be used to
override restriction and results in GitLab Workhorse disclosing NuGet packages
and files in the /tmp directory. The issue is now mitigated in the latest
release and is assigned CVE-2020-11505.

Thanks to @vakzz for also responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.8.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Job Artifact Uploads and File Disclosure through GitLab Workhorse

An internal investigation revealed that a particular header could be used to
override restrictions and results in GitLab Workhorse disclosing job artifact
uploads and files in the /tmp directory. The issue is now mitigated in the
latest release and is assigned CVE-2020-11506.

Thanks to @manassehzhou for also responsibly reporting this vulnerability to
us.

Versions Affected

Affects GitLab EE/CE 10.7.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Incorrect membership following group removal

An internal investigation revealed that members of a group could still have
access after a group is deleted. The issue is now mitigated in the latest
release and is assigned CVE-2020-11649.

Versions Affected

Affects GitLab EE/CE 8.15 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Logging of Praefect tokens

An internal investigation revealed that Praefect tokens were logged by Gitaly.
The issue is now fixed.

Versions Affected

Affects GitLab Omnibus 12.3 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Update Rack dependency

The Rack dependency and its related gems have been upgraded to 2.0.9. This
upgrade includes a security fix for CVE-2019-16782.

Versions Affected

Affects all previous versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Update OpenSSL dependency

The OpenSSL dependency has been upgraded from 1.1.d to 1.1.1f to include those
improvements.

Versions Affected

Affects all previous versions of GitLab Omnibus.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXpabPWaOgq3Tt24GAQhHUhAAiBAI5KfX+TONEaa2yroGtGgehI/sHqQR
73MeWlVxqjNGld4UQ9kHfkWE5+GfGnKg5AfTgQD7/MRb3Ww2W793Wf6+cpkrqQ87
DMjlLjU1Gp8NXbohtPyL6Lk5lkOyYS6iVpl+QJKVQEOtzLIEOQD3Q0qJ9r22xTJC
1ka8lADRs3YspYh5MmuulOZpmQivfRcv8x8uMU6vfxeFVFzSGSGxsEMpEvM9deai
JVCB9csma5JkCuGmy2mZ9YMKAhEh2oONihNhCs8MVpIUCX0cp0dCw8ydNyljxBc5
XNg3nditfB7oZU3cPBv07aN4kETLMc+LPfDlzR+AyUPNPYJdMTfdTVg1qE9Hw1s6
3Jq1kbq9vhT4dj/2Ux4CGCIL8yO+dGeikVVjtY7Ak33XTnJgiL8ogTOgb7HOxQRw
S23CwwcmiWb9JeSZM2RFheMGuNW6jeikcapSv8Oi8mcgV2M27BaJwPq0wf4uGT2h
N/Hl0NUqOfBAm6WE5/apbB+19z1pnaJZOnFF0EUFAq60ovRpZ+CXMiLOKAk1kGyz
Q/WYWJEAAzX3GJog1zfWnDHUf23qngCAn8j4qCd6Fl6PLFYFC8om8EYbBGuMz4VX
xVqJjpOeaD71BSoEVuxmY5Zoikce6lyD94Aiq7bIP5mN5vo6h9urSM4QFmygMb7N
PKsQEtyKKog=
=kZJu
-----END PGP SIGNATURE-----