Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1898 GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5 2 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition GitLab Enterprise Edition Publisher: GitLab Operating System: Windows UNIX variants (UNIX, Linux, OSX) Virtualisation Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-22181 Original Bulletin: https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5 Learn more about GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today we are releasing versions 13.12.2, 13.11.5, and 13.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Additional note In GitLab 13.10 the CI Lint API started requiring authentication for GitLab instances where registration is disabled. Starting with this release, the CI Lint API endpoint will also require authentication when registration is limited (for example where an email domain allowlist is configured). Table of Fixes Title Severity Stealing GitLab OAuth access tokens using XSLeaks in Safari high Denial of service through recursive triggered pipelines high Unauthenticated CI lint API may lead to information disclosure and medium SSRF Server-side DoS through rendering crafted Markdown documents medium Issue and merge request length limit is not being enforced medium Insufficient Expired Password Validation medium XSS in blob viewer of notebooks medium Logging of Sensitive Information medium On-call rotation information exposed when removing a member low Spoofing commit author for signed commits low Stealing GitLab OAuth access tokens using XSLeaks in Safari A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/ EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8). We have requested a CVE ID and will update this blog post when it is assigned. Thanks hubblebubble for reporting this vulnerability through our HackerOne bug bounty program. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Denial of service through recursive triggered pipelines A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/ I:N/A:H, 7.7). It is now mitigated in the latest release and is assigned CVE-2021-22181. This vulnerability has been discovered internally by the GitLab team. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Unauthenticated CI lint API may lead to information disclosure and SSRF When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N, 6.8). We have requested a CVE ID and will update this blog post when it is assigned. Thanks @myster for reporting this vulnerability through our HackerOne bug bounty program. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Server-side DoS through rendering crafted Markdown documents A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). We have requested a CVE ID and will update this blog post when it is assigned. Thanks phli for reporting this vulnerability through our HackerOne bug bounty program. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Issue and merge request length limit is not being enforced A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability has been discovered internally by the GitLab team. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Insufficient Expired Password Validation An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/ PR:N/UI:N/S:U/C:L/I:L/A:N, 6.5). We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability has been discovered internally by the GitLab team. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. XSS in blob viewer of notebooks An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1). We have requested a CVE ID and will update this blog post when it is assigned. Thanks (@yvvdwf)[https://hackerone.com/yvvdwf] for reporting this vulnerability through our HackerOne bug bounty program. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Logging of Sensitive Information GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking. This is a medium severity issue (CVSS:3.0/AV:N/AC:H /PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability has been discovered internally by the GitLab team https:// gitlab.com/dcouture. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. On-call rotation information exposed when removing a member An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects. This is a low severity issue (CVSS:3.0/AV:N/AC:L/ PR:H/UI:N/S:U/C:L/I:N/A:N, 2.7). We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability has been discovered internally by the GitLab team. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Spoofing commit author for signed commits All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L /A:N, 2.6). We have requested a CVE ID and will update this blog post when it is assigned. Thanks subbotin for reporting this vulnerability through our HackerOne bug bounty program. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Enable qsh verification for Atlassian Connect qsh verification has been enabled for Atlassian Connect to address a breaking change in the Atlassian Connect API. If you are using Jira Connect with a self-managed instance you need to update to these latest security releases before June 7th. If you are on GitLab.com, you do not need to do anything. For more details see this GitLab issue. Versions affected Affects all versions of GitLab. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Update bindata dependency The dependency on bindata has been upgraded to 2.4.10 in order to mitigate security concerns. Versions affected Affects versions 12.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Update grafana dependency The dependency on Grafana has been upgraded to 7.5.4 in order to mitigate security concerns. Versions affected Affects versions 13.11, 13.10 and 13.9. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYLb8juNLKJtyKPYoAQimDhAAkLOW3/MuuPlKP5c6Xc1A6xJpXraaPzvI 52PQibPJmgolk3D1WUR06SxoTMO/16c3o2eR6Z1tiwrqUTfOKbStiV1parCxWtrW oDZWlnp/tCSx9ngOJDYr//0uSTku3NLKpr+6Tnw+gv7cLnfXzeTmT4g3nJeVgCX3 WdwUpUe2sePcLJJpqK3ZMKgTlq5WD6kiKdjGU/+Ms0VZ6duSCpeSVQsElFBxPjjh V07NCxemgQzE03mnBf2qBdxsvVvdgGu053diI5oqlYXAvVVHrlP5pWn9e0ack5Qq WS3CebhSTdbfYOQ6PhABvsHFNiML9OKxfNm+tXXbeGoSIVMi/lY9bjfkbT7DFSSt 5hjDPhN/aVf9VcI0mxx+qhlq3frnRtkKITN7Xcn8gu8Xvndra/HE1fgYKfvAog/W t0j5f90+R/tJiXD4EPA3qDImLdfm0ZEKYEEJs4XMnGzOfzl0z7QMxefTVvdk3KD5 sicZJgcOf+iG9bYK50mjXkvjxLMEK7fcquXMdxswhsqUsCJx9ntpMPEO0ROkCT1k 8Ippz3l5AdrcJjVvIWoOPoub07u/6r9fZzr7NEVUFF8qhAOzzBqMv98r8/RdhGJT k/X244kPh6JZPbDfkLlqlTtGw18L9kHRv32hVgMhbGzGh9OyiNlp0oUGNoz2yO+5 HZS69Nmepsc= =Zwr3 -----END PGP SIGNATURE-----