Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3431 GitLab Security Release: 13.4.2, 13.3.7 and 13.2.10 2 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition (CE) GitLab Enterprise Edition (EE) Publisher: GitLab Operating System: UNIX variants (UNIX, Linux, OSX) Windows Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Denial of Service -- Unknown/Unspecified Cross-site Scripting -- Unknown/Unspecified Access Confidential Data -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-13335 CVE-2020-13334 CVE-2020-13333 CVE-2020-13332 CVE-2020-13327 Original Bulletin: https://about.gitlab.com/releases/2020/10/01/security-release-13-4-2-release/ - --------------------------BEGIN INCLUDED TEXT-------------------- GitLab Security Release: 13.4.2, 13.3.7 and 13.2.10 Learn more about GitLab Security Release: 13.4.2, 13.3.7 and 13.2.10 for GitLab Community Edition (CE) and Enterprise Edition (EE) Today we are releasing versions 13.4.2, 13.3.7 and 13.2.10 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Potential Denial Of Service Via Update Release Links API A potential DoS vulnerability was discovered in release api, certain user supplied values could rise the CPU usage. This issue is now mitigated in the latest release and is assigned CVE-2020-13333. Thanks @anyday for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 13.1 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Insecure Storage of Session Key In Redis Under certain condition an unauthorised user could read the Redis keys and use to obtain a valid session. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @rabbitfang for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 10.8 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Improper Access Expiration Date Validation It was possible for users to access projects with an expired access date. This issue is now mitigated in the latest release and is assigned CVE-2020-13332. Thanks @henonoah for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 8.11.0-rc6+ and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in Multiple Pages A reflected cross-site scripting was discovred in different pages. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @vakzz for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 10.8 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Unauthorized Users Can View Custom Project Template An unauthorised user was able to view private custom project template. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @jobert for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE 11.2 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Cross-Site Scripting in SVG Image Preview A stored cross-site scripting was found in SVG image preview. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @aryan2808 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 12.10 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Incomplete Handling in Account Deletion It was discovered that there was insufficient check before account deletion which allowed an account to be deleted while being the owner of a group. This issue is now mitigated in the latest release and is assigned CVE-2020-13335. Thanks @brdoors3 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 7.12 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Insufficient Rate Limiting at Re-Sending Confirmation Email It was discovered that there was insufficient rate-limiting at re-sending confirmatil email. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @yuanchenlu for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 10.1.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Improper Type Check in GraphQL It was discovered that due to an improper type check in GraphQL users with developer role were able to perform unauthorised actions. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @ledz1996 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 13.1 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. To-dos Are Not Redacted When Membership Changes It was discovered that after membership changes were applied, the to-do list was not redacted properly. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @vaib25vicky for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 11.2 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Guest users can modify confidentiality attribute It was discovered that improper authorization checks allows a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query. This issue is now mitigated in the latest release and is assigned CVE-2020-13334. Thanks @0xwintermute for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 8.6 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Command injection on runner host It was discovered that improper validation of authorization configuration allowed arbitary command execution on windows runner host. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned. Thanks @ajxchapman for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab Runner 12.0.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Insecure Runner Configuration in Kubernetes Environments An internal investigation revealed a security issue in GitLab Runner configuration used with Kubernetes environments that could be used to perform a MitM(Man in the Middle) attack. This issue is now mitigated in the latest release and is assigned CVE-2020-13327. Versions Affected Affects GitLab Runner 13.2, 13.3, 13.4 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3aKIeNLKJtyKPYoAQhIAg//beQNhR5aDGVdV0rcXzX2Pn1JlJfUN55j PNWLr6KBXQsuyfOyqT5qGWRlyV9bDD79G4uMisrqHxL3M7Gn4RscUz9GPndtpeZP 2eEIex38zf2TYqjEoZc4YaKtkr+2+CFf3Lb6/g4XdvgPAOe46s6hPjI0z7OmhQbT LOuZOMLMDvA/RKzsT+uRFo5OW274cYy0tynXxAnYZVpyn7kgF65asxRX8J7Id81W Su/Z6zqnSEY77UOSK0LpBhBJGemqs1hNHkxk4K3Tz27zl0DrU/jsZONCROuhzmb6 kJFtucg9ZE5XPz4BA58zWqpwj8sRxLv9yq18Y0ow5Utt1HIqSbOLaT9ml/yKM5o7 Da21kbihnvCknja+s4lbkWE0AFtEXC5F1ohVIyKzEV/17erX3iqRXK5D/x2vUXuG akgRv8uQntK8cQeDRB9CrIkklm19CyP1nBKPcLw0vDpUdORq+ztAvaNEeQwkZNxB p6JVNCDHU9h+Pp3GP6XQ8bX5GBXRRe4i/5xDjv42B1CcSTOoeEpiBBh2NEaT3mVC SXJ3CvRXwmghRMaYyYYSyxJ6UDOVV579aPOPD9gVqmKpAmGjMFBSbdHL1MPFmmIH nqfjFC7684Pcecob023l+0kCF9S+N8hGGFx5z9fsM/2CVi21dpFVGo43OdkZnQyB jI0eyK/jESE= =iXez -----END PGP SIGNATURE-----