Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2265 GitLab multiple vulnerabilities 2 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition GitLab Enterprise Edition Publisher: GitLab Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Unknown/Unspecified Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-14155 CVE-2020-11082 CVE-2019-0542 Reference: ESB-2020.1890 ESB-2019.3375 Original Bulletin: https://about.gitlab.com/releases/2020/07/01/security-release-13-1-2-release/ - --------------------------BEGIN INCLUDED TEXT-------------------- GitLab Security Release: 13.1.2, 13.0.8 and 12.10.13 Today we are releasing versions 13.1.2, 13.0.8 and 12.10.13 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Missing Permission Check on Time Tracking It was possible to add time spent on a issue without being a project member. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 12.8 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in PyPi Files API Under certain conditions, requests involving the PyPi files API could result in an XSS vulnerability. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @vakzz for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 13.1 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Insecure Authorization Check on Private Project Security Dashboard Under certain conditions, a project member with Guest permissions was allowed to view the project security dashboard. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @vaib25vicky for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 12.8 to 13.1. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in References A stored cross-site scripting vulnerability was discovered when editing references. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @vakzz for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 8.10.0 to 13.1. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in Group Names An internal investigation revealed that Group Names could be used to store XSS payloads. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Versions Affected Affects GitLab EE 12.10 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in Blob Viewer A stored XSS vulnerability was discovered in the blob viewer feature. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @yvvdwf for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 12.6 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in Error Tracking A stored cross-site scripting payload could be injected in the Error Tracking page. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @mike12 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 12.10 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Insecure Authorisation Check on Creation and Deletion of Deploy Tokens An insecure authorization check allowed project members with Maintainer role to create and delete deploy tokens. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 12.9 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. User Name Format Restiction Bypass Username format restrictions could be bypassed allowing for html tags to be added. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @zseano for responsibly reporting this vulnerability to us. Versions Affected Affects all versions of GitLab. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Denial of Service in Issue Comments A denial of service vulnerability involving the comments on an issue was discovered. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @tiradorngpilipinas for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 12.9 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in Wiki Pages A stored cross-site scripting vulnerability was discovered in the Wiki upload feature. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @semsem123 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 12.10 and older. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Private Merge Request Updates Leaked via Todos An internal investigation revealed that updates to private merge requests could be disclosed to removed project members. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Versions Affected Affects all versions of GitLab. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Private User Activity Leaked via API Under certain conditions the private activty of an user could be exposed via the API. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @ngalog for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 9.4 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in Bitbucket Import Feature A stored XSS vulnerability could be exploited using the Bitbucket project import feature. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @saltyyolk of Chaitin Tech for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 11.2 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Github Project Restriction Bypass It was possible to bypass the restriction of importing projects from Github via the API. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 11.8 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Update PCRE Dependency The lippcre in PCRE has been upgraded from 8.42 to 8.44. This upgrade includes a security fix for CVE-2020-14155. Versions Affected Affects all previous versions of GitLab Omnibus. Update Kaminari Gem Using Kaminari before 1.2.1, an attacker could inject arbitrary code into pages with pagination links. This upgrade includes a security fix for CVE-2020-11082. Versions Affected Affects all previous versions of GitLab Omnibus. Cross-Site Scripting in User Profile A stored cross-site scripting vulnerability was discovered in the User profile page. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @mike12 for responsibly reporting this vulnerability to us. Versions Affected Affects all versions of GitLab. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Update Xterm.js A remote code execution exists in xterm.js before 3.9.2. This upgrade includes a security fix for CVE-2019-0542. Versions Affected Affects all previous versions of GitLab Omnibus. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Updating To update GitLab, see the Update page. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXv0lgONLKJtyKPYoAQiaTA//ZtIc4qJB8OV4eXDZh4oo0/4hjohDeBXi PiAOhjztQ4/PRnsBNCd6jnIjPxSk2sHZwnSSCDu9OsMDUgRsS2ask/AGioZck/Tp 5or3JuARDy2BSQCLgHbjiXuvsLDRMU0qQ8rM6U2nT/bwiLmo2mthZLe22ooGAbb1 JtbKSqTAuuOJ0aYXHxxmYr4CP8l6KR3DWdcCw23lnMjq7xh8cb7tx4A4DGi3XzoA WBGDzqg4C+hGzfY7VeNC/v99cqKKPHXXTMt+ZePB2OqIRtCjuTe2EZ3AbO9ni8XW KRZrKQoi98uLvLbVpZmL8VPPv6vA9D1WxJeaaA0/6+RKKPMDH6K6U2mIrwzF7498 oiHJfLItAXr/lfos1PcQN8lOgkB5FzW3eOtog1SAC19AXdkrew15cQwPmE34scuW lnFt3Chav9W+YubIrJpSJmoScgfcp/NtUoC3rVK3R6LqDjcGGaoqbTUMrnpS/hcP CP4JEFud6Bxm21HXylb+QAyJ/SOw7uny0DkVpmIUpSWZo4yaEn+ATvzXftoxz+ss wP/quyXvb+MjuRh85pWpqzMk7ExDPajDWJGqlB/ilnLoxvoDjpytsazgSoPKDt0x eiJ72ODIqIhdgrJ6UW5PNHmoHpzEtZwL5aJFVnbw15Ehsqoy+Pv4QEUGsO+QF3jj QIpc0xLEbRs= =cTmA -----END PGP SIGNATURE-----