Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3431
GitLab Security Release: 13.4.2, 13.3.7 and 13.2.10
2 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Publisher: GitLab
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified
Denial of Service -- Unknown/Unspecified
Cross-site Scripting -- Unknown/Unspecified
Access Confidential Data -- Unknown/Unspecified
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13335 CVE-2020-13334 CVE-2020-13333
CVE-2020-13332 CVE-2020-13327
Original Bulletin:
https://about.gitlab.com/releases/2020/10/01/security-release-13-4-2-release/
- --------------------------BEGIN INCLUDED TEXT--------------------
GitLab Security Release: 13.4.2, 13.3.7 and 13.2.10
Learn more about GitLab Security Release: 13.4.2, 13.3.7 and 13.2.10 for GitLab
Community Edition (CE) and Enterprise Edition (EE)
Today we are releasing versions 13.4.2, 13.3.7 and 13.2.10 for GitLab Community
Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. You
can see all of our regular and security release blog posts here. In addition,
the issues detailing each vulnerability are made public on our issue tracker 30
days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.
Potential Denial Of Service Via Update Release Links API
A potential DoS vulnerability was discovered in release api, certain user
supplied values could rise the CPU usage. This issue is now mitigated in the
latest release and is assigned CVE-2020-13333.
Thanks @anyday for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 13.1 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Insecure Storage of Session Key In Redis
Under certain condition an unauthorised user could read the Redis keys and use
to obtain a valid session. This issue is now mitigated in the latest release
and is waiting for a CVE ID to be assigned.
Thanks @rabbitfang for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 10.8 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Improper Access Expiration Date Validation
It was possible for users to access projects with an expired access date. This
issue is now mitigated in the latest release and is assigned CVE-2020-13332.
Thanks @henonoah for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 8.11.0-rc6+ and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Cross-Site Scripting in Multiple Pages
A reflected cross-site scripting was discovred in different pages. This issue
is now mitigated in the latest release and is waiting for a CVE ID to be
assigned.
Thanks @vakzz for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 10.8 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Unauthorized Users Can View Custom Project Template
An unauthorised user was able to view private custom project template. This
issue is now mitigated in the latest release and is waiting for a CVE ID to be
assigned.
Thanks @jobert for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE 11.2 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Cross-Site Scripting in SVG Image Preview
A stored cross-site scripting was found in SVG image preview. This issue is now
mitigated in the latest release and is waiting for a CVE ID to be assigned.
Thanks @aryan2808 for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 12.10 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Incomplete Handling in Account Deletion
It was discovered that there was insufficient check before account deletion
which allowed an account to be deleted while being the owner of a group. This
issue is now mitigated in the latest release and is assigned CVE-2020-13335.
Thanks @brdoors3 for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 7.12 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Insufficient Rate Limiting at Re-Sending Confirmation Email
It was discovered that there was insufficient rate-limiting at re-sending
confirmatil email. This issue is now mitigated in the latest release and is
waiting for a CVE ID to be assigned.
Thanks @yuanchenlu for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 10.1.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Improper Type Check in GraphQL
It was discovered that due to an improper type check in GraphQL users with
developer role were able to perform unauthorised actions. This issue is now
mitigated in the latest release and is waiting for a CVE ID to be assigned.
Thanks @ledz1996 for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 13.1 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
To-dos Are Not Redacted When Membership Changes
It was discovered that after membership changes were applied, the to-do list
was not redacted properly. This issue is now mitigated in the latest release
and is waiting for a CVE ID to be assigned.
Thanks @vaib25vicky for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 11.2 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Guest users can modify confidentiality attribute
It was discovered that improper authorization checks allows a non-member of a
project/group to change the confidentiality attribute of issue via mutation
GraphQL query. This issue is now mitigated in the latest release and is
assigned CVE-2020-13334.
Thanks @0xwintermute for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 8.6 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Command injection on runner host
It was discovered that improper validation of authorization configuration
allowed arbitary command execution on windows runner host. This issue is now
mitigated in the latest release and is waiting for a CVE ID to be assigned.
Thanks @ajxchapman for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab Runner 12.0.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Insecure Runner Configuration in Kubernetes Environments
An internal investigation revealed a security issue in GitLab Runner
configuration used with Kubernetes environments that could be used to perform a
MitM(Man in the Middle) attack. This issue is now mitigated in the latest
release and is assigned CVE-2020-13327.
Versions Affected
Affects GitLab Runner 13.2, 13.3, 13.4 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX3aKIeNLKJtyKPYoAQhIAg//beQNhR5aDGVdV0rcXzX2Pn1JlJfUN55j
PNWLr6KBXQsuyfOyqT5qGWRlyV9bDD79G4uMisrqHxL3M7Gn4RscUz9GPndtpeZP
2eEIex38zf2TYqjEoZc4YaKtkr+2+CFf3Lb6/g4XdvgPAOe46s6hPjI0z7OmhQbT
LOuZOMLMDvA/RKzsT+uRFo5OW274cYy0tynXxAnYZVpyn7kgF65asxRX8J7Id81W
Su/Z6zqnSEY77UOSK0LpBhBJGemqs1hNHkxk4K3Tz27zl0DrU/jsZONCROuhzmb6
kJFtucg9ZE5XPz4BA58zWqpwj8sRxLv9yq18Y0ow5Utt1HIqSbOLaT9ml/yKM5o7
Da21kbihnvCknja+s4lbkWE0AFtEXC5F1ohVIyKzEV/17erX3iqRXK5D/x2vUXuG
akgRv8uQntK8cQeDRB9CrIkklm19CyP1nBKPcLw0vDpUdORq+ztAvaNEeQwkZNxB
p6JVNCDHU9h+Pp3GP6XQ8bX5GBXRRe4i/5xDjv42B1CcSTOoeEpiBBh2NEaT3mVC
SXJ3CvRXwmghRMaYyYYSyxJ6UDOVV579aPOPD9gVqmKpAmGjMFBSbdHL1MPFmmIH
nqfjFC7684Pcecob023l+0kCF9S+N8hGGFx5z9fsM/2CVi21dpFVGo43OdkZnQyB
jI0eyK/jESE=
=iXez
-----END PGP SIGNATURE-----