-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2265
                      GitLab multiple vulnerabilities
                                2 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GitLab Community Edition
                   GitLab Enterprise Edition
Publisher:         GitLab
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Unknown/Unspecified         
                   Access Confidential Data        -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14155 CVE-2020-11082 CVE-2019-0542

Reference:         ESB-2020.1890
                   ESB-2019.3375

Original Bulletin: 
   https://about.gitlab.com/releases/2020/07/01/security-release-13-1-2-release/

- --------------------------BEGIN INCLUDED TEXT--------------------

GitLab Security Release: 13.1.2, 13.0.8 and 12.10.13

Today we are releasing versions 13.1.2, 13.0.8 and 12.10.13 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. You
can see all of our regular and security release blog posts here. In addition,
the issues detailing each vulnerability are made public on our issue tracker 30
days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.

Missing Permission Check on Time Tracking

It was possible to add time spent on a issue without being a project member.
This issue is now mitigated in the latest release and is waiting for a CVE ID
to be assigned.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.8 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Cross-Site Scripting in PyPi Files API

Under certain conditions, requests involving the PyPi files API could result in
an XSS vulnerability. This issue is now mitigated in the latest release and is
waiting for a CVE ID to be assigned.

Thanks @vakzz for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 13.1 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Insecure Authorization Check on Private Project Security Dashboard

Under certain conditions, a project member with Guest permissions was allowed
to view the project security dashboard. This issue is now mitigated in the
latest release and is waiting for a CVE ID to be assigned.

Thanks @vaib25vicky for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.8 to 13.1.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Cross-Site Scripting in References

A stored cross-site scripting vulnerability was discovered when editing
references. This issue is now mitigated in the latest release and is waiting
for a CVE ID to be assigned.

Thanks @vakzz for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 8.10.0 to 13.1.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Cross-Site Scripting in Group Names

An internal investigation revealed that Group Names could be used to store XSS
payloads. This issue is now mitigated in the latest release and is waiting for
a CVE ID to be assigned.

Versions Affected

Affects GitLab EE 12.10 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Cross-Site Scripting in Blob Viewer

A stored XSS vulnerability was discovered in the blob viewer feature. This
issue is now mitigated in the latest release and is waiting for a CVE ID to be
assigned.

Thanks @yvvdwf for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.6 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Cross-Site Scripting in Error Tracking

A stored cross-site scripting payload could be injected in the Error Tracking
page. This issue is now mitigated in the latest release and is waiting for a
CVE ID to be assigned.

Thanks @mike12 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.10 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Insecure Authorisation Check on Creation and Deletion of Deploy Tokens

An insecure authorization check allowed project members with Maintainer role to
create and delete deploy tokens. This issue is now mitigated in the latest
release and is waiting for a CVE ID to be assigned.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.9 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

User Name Format Restiction Bypass

Username format restrictions could be bypassed allowing for html tags to be
added. This issue is now mitigated in the latest release and is waiting for a
CVE ID to be assigned.

Thanks @zseano for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Denial of Service in Issue Comments

A denial of service vulnerability involving the comments on an issue was
discovered. This issue is now mitigated in the latest release and is waiting
for a CVE ID to be assigned.

Thanks @tiradorngpilipinas for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.9 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Cross-Site Scripting in Wiki Pages

A stored cross-site scripting vulnerability was discovered in the Wiki upload
feature. This issue is now mitigated in the latest release and is waiting for a
CVE ID to be assigned.

Thanks @semsem123 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.10 and older.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Private Merge Request Updates Leaked via Todos

An internal investigation revealed that updates to private merge requests could
be disclosed to removed project members. This issue is now mitigated in the
latest release and is waiting for a CVE ID to be assigned.

Versions Affected

Affects all versions of GitLab.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Private User Activity Leaked via API

Under certain conditions the private activty of an user could be exposed via
the API. This issue is now mitigated in the latest release and is waiting for a
CVE ID to be assigned.

Thanks @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 9.4 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Cross-Site Scripting in Bitbucket Import Feature

A stored XSS vulnerability could be exploited using the Bitbucket project
import feature. This issue is now mitigated in the latest release and is
waiting for a CVE ID to be assigned.

Thanks @saltyyolk of Chaitin Tech for responsibly reporting this vulnerability
to us.

Versions Affected

Affects GitLab 11.2 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Github Project Restriction Bypass

It was possible to bypass the restriction of importing projects from Github via
the API. This issue is now mitigated in the latest release and is waiting for a
CVE ID to be assigned.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab 11.8 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Update PCRE Dependency

The lippcre in PCRE has been upgraded from 8.42 to 8.44. This upgrade includes
a security fix for CVE-2020-14155.

Versions Affected

Affects all previous versions of GitLab Omnibus.

Update Kaminari Gem

Using Kaminari before 1.2.1, an attacker could inject arbitrary code into pages
with pagination links. This upgrade includes a security fix for CVE-2020-11082.

Versions Affected

Affects all previous versions of GitLab Omnibus.

Cross-Site Scripting in User Profile

A stored cross-site scripting vulnerability was discovered in the User profile
page. This issue is now mitigated in the latest release and is waiting for a
CVE ID to be assigned.

Thanks @mike12 for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Update Xterm.js

A remote code execution exists in xterm.js before 3.9.2. This upgrade includes
a security fix for CVE-2019-0542.

Versions Affected

Affects all previous versions of GitLab Omnibus.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXv0lgONLKJtyKPYoAQiaTA//ZtIc4qJB8OV4eXDZh4oo0/4hjohDeBXi
PiAOhjztQ4/PRnsBNCd6jnIjPxSk2sHZwnSSCDu9OsMDUgRsS2ask/AGioZck/Tp
5or3JuARDy2BSQCLgHbjiXuvsLDRMU0qQ8rM6U2nT/bwiLmo2mthZLe22ooGAbb1
JtbKSqTAuuOJ0aYXHxxmYr4CP8l6KR3DWdcCw23lnMjq7xh8cb7tx4A4DGi3XzoA
WBGDzqg4C+hGzfY7VeNC/v99cqKKPHXXTMt+ZePB2OqIRtCjuTe2EZ3AbO9ni8XW
KRZrKQoi98uLvLbVpZmL8VPPv6vA9D1WxJeaaA0/6+RKKPMDH6K6U2mIrwzF7498
oiHJfLItAXr/lfos1PcQN8lOgkB5FzW3eOtog1SAC19AXdkrew15cQwPmE34scuW
lnFt3Chav9W+YubIrJpSJmoScgfcp/NtUoC3rVK3R6LqDjcGGaoqbTUMrnpS/hcP
CP4JEFud6Bxm21HXylb+QAyJ/SOw7uny0DkVpmIUpSWZo4yaEn+ATvzXftoxz+ss
wP/quyXvb+MjuRh85pWpqzMk7ExDPajDWJGqlB/ilnLoxvoDjpytsazgSoPKDt0x
eiJ72ODIqIhdgrJ6UW5PNHmoHpzEtZwL5aJFVnbw15Ehsqoy+Pv4QEUGsO+QF3jj
QIpc0xLEbRs=
=cTmA
-----END PGP SIGNATURE-----