Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1898
GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5
2 June 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition
GitLab Enterprise Edition
Publisher: GitLab
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Virtualisation
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Denial of Service -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-22181
Original Bulletin:
https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/
- --------------------------BEGIN INCLUDED TEXT--------------------
GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5
Learn more about GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5 for
GitLab Community Edition (CE) and Enterprise Edition (EE).
Today we are releasing versions 13.12.2, 13.11.5, and 13.10.5 for GitLab
Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.
Additional note
In GitLab 13.10 the CI Lint API started requiring authentication for GitLab
instances where registration is disabled. Starting with this release, the CI
Lint API endpoint will also require authentication when registration is limited
(for example where an email domain allowlist is configured).
Table of Fixes
Title Severity
Stealing GitLab OAuth access tokens using XSLeaks in Safari high
Denial of service through recursive triggered pipelines high
Unauthenticated CI lint API may lead to information disclosure and medium
SSRF
Server-side DoS through rendering crafted Markdown documents medium
Issue and merge request length limit is not being enforced medium
Insufficient Expired Password Validation medium
XSS in blob viewer of notebooks medium
Logging of Sensitive Information medium
On-call rotation information exposed when removing a member low
Spoofing commit author for signed commits low
Stealing GitLab OAuth access tokens using XSLeaks in Safari
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/
EE since 7.10 allowed an attacker to leak an OAuth access token by getting the
victim to visit a malicious page with Safari. This is a high severity issue
(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8). We have requested a CVE ID
and will update this blog post when it is assigned.
Thanks hubblebubble for reporting this vulnerability through our HackerOne bug
bounty program.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Denial of service through recursive triggered pipelines
A denial of service vulnerability in GitLab CE/EE affecting all versions since
11.8 allows an attacker to create a recursive pipeline relationship and exhaust
resources. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/
I:N/A:H, 7.7). It is now mitigated in the latest release and is assigned
CVE-2021-22181.
This vulnerability has been discovered internally by the GitLab team.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Unauthenticated CI lint API may lead to information disclosure and SSRF
When requests to the internal network for webhooks are enabled, a server-side
request forgery vulnerability in GitLab CE/EE affecting all versions starting
from 10.5 was possible to exploit for an unauthenticated attacker even on a
GitLab instance where registration is limited. This is a medium severity issue
(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N, 6.8). We have requested a CVE ID
and will update this blog post when it is assigned.
Thanks @myster for reporting this vulnerability through our HackerOne bug
bounty program.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Server-side DoS through rendering crafted Markdown documents
A denial of service vulnerability in all versions of GitLab CE/EE before
13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource
consumption with a specially crafted issue or merge request. This is a medium
severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). We have
requested a CVE ID and will update this blog post when it is assigned.
Thanks phli for reporting this vulnerability through our HackerOne bug bounty
program.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Issue and merge request length limit is not being enforced
A denial of service vulnerability in all versions of GitLab CE/EE before
13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource
consumption with a very long issue or merge request description. This is a
medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). We
have requested a CVE ID and will update this blog post when it is assigned.
This vulnerability has been discovered internally by the GitLab team.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Insufficient Expired Password Validation
An issue has been discovered in GitLab affecting all versions starting from
12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all
versions starting from 13.12.0 before 13.12.2. Insufficient expired password
validation in various operations allow user to maintain limited access after
their password expired. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/
PR:N/UI:N/S:U/C:L/I:L/A:N, 6.5). We have requested a CVE ID and will update
this blog post when it is assigned.
This vulnerability has been discovered internally by the GitLab team.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
XSS in blob viewer of notebooks
An issue has been discovered in GitLab affecting all versions starting with
13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks. This
is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1).
We have requested a CVE ID and will update this blog post when it is assigned.
Thanks (@yvvdwf)[https://hackerone.com/yvvdwf] for reporting this vulnerability
through our HackerOne bug bounty program.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Logging of Sensitive Information
GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive
information from log files because the sensitive information was not correctly
registered for log masking. This is a medium severity issue (CVSS:3.0/AV:N/AC:H
/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). We have requested a CVE ID and will update
this blog post when it is assigned.
This vulnerability has been discovered internally by the GitLab team https://
gitlab.com/dcouture.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
On-call rotation information exposed when removing a member
An information disclosure vulnerability in GitLab EE versions 13.11 and later
allowed a project owner to leak information about the members' on-call
rotations in other projects. This is a low severity issue (CVSS:3.0/AV:N/AC:L/
PR:H/UI:N/S:U/C:L/I:N/A:N, 2.7). We have requested a CVE ID and will update
this blog post when it is assigned.
This vulnerability has been discovered internally by the GitLab team.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Spoofing commit author for signed commits
All versions of GitLab CE/EE starting with 12.8 were affected by an issue in
the handling of x509 certificates that could be used to spoof author of signed
commits. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L
/A:N, 2.6). We have requested a CVE ID and will update this blog post when it
is assigned.
Thanks subbotin for reporting this vulnerability through our HackerOne bug
bounty program.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Enable qsh verification for Atlassian Connect
qsh verification has been enabled for Atlassian Connect to address a breaking
change in the Atlassian Connect API.
If you are using Jira Connect with a self-managed instance you need to update
to these latest security releases before June 7th. If you are on GitLab.com,
you do not need to do anything. For more details see this GitLab issue.
Versions affected
Affects all versions of GitLab.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Update bindata dependency
The dependency on bindata has been upgraded to 2.4.10 in order to mitigate
security concerns.
Versions affected
Affects versions 12.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Update grafana dependency
The dependency on Grafana has been upgraded to 7.5.4 in order to mitigate
security concerns.
Versions affected
Affects versions 13.11, 13.10 and 13.9.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYLb8juNLKJtyKPYoAQimDhAAkLOW3/MuuPlKP5c6Xc1A6xJpXraaPzvI
52PQibPJmgolk3D1WUR06SxoTMO/16c3o2eR6Z1tiwrqUTfOKbStiV1parCxWtrW
oDZWlnp/tCSx9ngOJDYr//0uSTku3NLKpr+6Tnw+gv7cLnfXzeTmT4g3nJeVgCX3
WdwUpUe2sePcLJJpqK3ZMKgTlq5WD6kiKdjGU/+Ms0VZ6duSCpeSVQsElFBxPjjh
V07NCxemgQzE03mnBf2qBdxsvVvdgGu053diI5oqlYXAvVVHrlP5pWn9e0ack5Qq
WS3CebhSTdbfYOQ6PhABvsHFNiML9OKxfNm+tXXbeGoSIVMi/lY9bjfkbT7DFSSt
5hjDPhN/aVf9VcI0mxx+qhlq3frnRtkKITN7Xcn8gu8Xvndra/HE1fgYKfvAog/W
t0j5f90+R/tJiXD4EPA3qDImLdfm0ZEKYEEJs4XMnGzOfzl0z7QMxefTVvdk3KD5
sicZJgcOf+iG9bYK50mjXkvjxLMEK7fcquXMdxswhsqUsCJx9ntpMPEO0ROkCT1k
8Ippz3l5AdrcJjVvIWoOPoub07u/6r9fZzr7NEVUFF8qhAOzzBqMv98r8/RdhGJT
k/X244kPh6JZPbDfkLlqlTtGw18L9kHRv32hVgMhbGzGh9OyiNlp0oUGNoz2yO+5
HZS69Nmepsc=
=Zwr3
-----END PGP SIGNATURE-----