-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.0501
            GitLab Security Release 14.7.1, 14.6.4, and 14.5.4
                              4 February 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GitLab Community Edition
                   GitLab Enterprise Edition
Publisher:         GitLab
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
                   Virtualisation
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-0477 CVE-2022-0427 CVE-2022-0425
                   CVE-2022-0390 CVE-2022-0373 CVE-2022-0371
                   CVE-2022-0344 CVE-2022-0283 CVE-2022-0249
                   CVE-2022-0167 CVE-2022-0136 CVE-2022-0123
                   CVE-2021-39943 CVE-2021-39931 

Reference:         ESB-2021.4141

Original Bulletin: 
   https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/

Comment: CVSS (Max):  7.7 CVE-2022-0427 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
         CVSS Source: GitLab

- --------------------------BEGIN INCLUDED TEXT--------------------

GitLab Security Release: 14.7.1, 14.6.4, and 14.5.4

Today we are releasing versions 14.7.1, 14.6.4, and 14.5.4 for GitLab Community
Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab.com is already running the patched version.

GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.

Table of Fixes

                                Title                                  Severity
Arbitrary POST requests via special HTML attributes in Jupyter         high
Notebooks
DNS Rebinding vulnerability in Irker IRC Gateway integration           medium
Missing certificate validation for external CI services                medium
Blind SSRF Through Project Import                                      medium
Open redirect vulnerability in Jira Integration                        medium
Issue link was disclosing the linked issue                             medium
Service desk email accessible by project non-members                   medium
Authenticated users can search other users by their private email      medium
"External status checks" can be accepted by users below developer
access if the user is either author or assignee of the target merge    medium
request
Deleting packages in bulk from package registries may cause table      medium
locks
Autocomplete enabled on specific pages                                 low
Possible SSRF due to not blocking shared address space                 low
System notes reveals private project path when Issue is moved to a     low
public project
Timeout for pages using Markdown                                       low
Certain branch names could not be protected                            low

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

Missing sanitization of HTML attributes in Jupyter notebooks in all versions of
GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP
POST requests on a user's behalf leading to potential account takeover. This is
a high severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N, 7.7). It
is now mitigated in the latest release and is assigned CVE-2022-0427.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.

DNS Rebinding vulnerability in Irker IRC Gateway integration

A DNS rebinding vulnerability in the Irker IRC Gateway integration in all
versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server
Side Request Forgery (SSRF) attacks. This is a medium severity issue (CVSS:3.0/
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, 6.5). It is now mitigated in the latest
release and is assigned CVE-2022-0425.

This vulnerability has been discovered internally by the GitLab team.

Missing certificate validation for external CI services

An issue has been discovered affecting GitLab versions prior to 14.4.5, between
14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL
certificates for some of external CI services which makes it possible to
perform MitM attacks on connections to these external services. This is a
medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, 5.9). It
is now mitigated in the latest release and is assigned CVE-2022-0123.

This vulnerability has been discovered internally by the GitLab team.

Blind SSRF Through Project Import

A vulnerability was discovered in GitLab starting with version 10.5. GitLab was
vulnerable to a blind SSRF attack through the Project Import feature. . This is
a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, 5.4). It
is now mitigated in the latest release and is assigned CVE-2022-0136.

Thanks no1zy for reporting this vulnerability through our HackerOne bug bounty
program.

Open redirect vulnerability in Jira Integration

An issue has been discovered affecting GitLab versions prior to 13.5. An open
redirect vulnerability was fixed in GitLab integration with Jira that a could
cause the web application to redirect the request to the attacker specified
URL. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/
A:N, 4.7). It is now mitigated in the latest release and is assigned
CVE-2022-0283.

This vulnerability has been discovered internally by the GitLab team.

Issue link was disclosing the linked issue

Improper access control allowed for project non-members to retrieve issue
details when it was linked to an item form the vulnerability dashboard in
GitLab CE/EE. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U
/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned
CVE-2022-0390.

Thanks wi11 for reporting this vulnerability through our HackerOne bug bounty
program.

Service desk email accessible by project non-members

Improper access control allows project non-members to retrieve the service desk
email address in GitLab CE/EE. This is a medium severity issue (CVSS:3.0/AV:N/
AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release
and is assigned CVE-2022-0373.

Thanks albatraoz for reporting this vulnerability through our HackerOne bug
bounty program.

Authenticated users can search other users by their private email

GitLab search may allow authenticated users to search other users by their
respective private emails even if a user set their email to private. This is a
medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It
is now mitigated in the latest release and is assigned CVE-2022-0371.

Customers may continue to search GitLab through the following methods:

  o Search via public email
  o Search via username
  o Query Users API for user id
  o Use our new Provisioned Users endpoint (if you use Group SAML or SCIM)
  o Use an Admin token to search for the users via the API (if you are on a
    GitLab self-managed instance)

This vulnerability was found internally by a member of the GitLab team.

"External status checks" can be accepted by users below developer access if the
user is either author or assignee of the target merge request

An authorization logic error in the External Status Check API in GitLab EE
affecting all versions starting from 14.1 before 14.3.6, all versions starting
from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed
a user to update the status of the check via an API call. This is a medium
severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now
mitigated in the latest release and is assigned CVE-2021-39943.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.

Deleting packages in bulk from package registries may cause table locks

An issue has been discovered in GitLab affecting all versions starting from
11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all
versions starting from 14.7.0 before 14.7.1. GitLab was not correctly handling
bulk requests to delete existing packages from the package registries which
could result in a Denial of Service under specific conditions. This is a medium
severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H, 6.5). It is now
mitigated in the latest release and is assigned CVE-2022-0477.

This vulnerability was found internally by a member of the GitLab team.

Autocomplete enabled on specific pages

An issue has been discovered in GitLab affecting all versions starting from
14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all
versions starting from 14.6.0 before 14.6.2. GitLab was not disabling the
Autocomplete attribute of fields related to sensitive information making it
possible to be retrieved under certain conditions. This is a low severity issue
(CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N, 3.1). It is now mitigated in the
latest release and is assigned CVE-2022-0167.

Thanks NCC Group for reporting this vulnerability to us.

Possible SSRF due to not blocking shared address space

A vulnerability was discovered in GitLab starting with version 12. GitLab was
vulnerable to a blind SSRF attack since requests to shared address space were
not blocked. . This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/
C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned
CVE-2022-0249.

Thanks no1zy for reporting this vulnerability through our HackerOne bug bounty
program.

System notes reveals private project path when Issue is moved to a public
project

An issue has been discovered in GitLab affecting all versions starting from
10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions
starting from 10.2 before 14.7.1. Private project paths can be disclosed to
unauthorized users via system notes when an Issue is closed via a Merge Request
and later moved to a public project. This is a low severity issue (CVSS:3.0/
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest
release and is assigned CVE-2022-0344.

Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne
bug bounty program.

Timeout for pages using Markdown

An issue has been discovered in GitLab CE/EE affecting all versions starting
with version 8.10. It was possible to trigger a timeout on a page with markdown
by using a specific amount of block-quotes. This is a low severity issue
(CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L, 3.5). It is now mitigated in the
latest release and will be assigned a CVE identifier soon.

This vulnerability has been discovered internally by the GitLab team.

Certain branch names could not be protected

In some cases, branch names containing HTML tags were not properly being
protected. This is a follow-up to CVE-2021-39931.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.

Update Mattermost

The version of Mattermost has been updated to 6.1.1 in order to mitigate
security concerns.

Versions affected

Affects GitLab Omnibus prior to 14.7

Update Go

The version of Go used in the GitLab Omnibus .gitlab-ci.yml file has been
updated to 2.9.1 in order to mitigate security concerns.

Versions affected

Affects GitLab Omnibus prior to 14.7

Update Rouge

The version of Rouge has been updated to 3.27.0 in order to mitigate security
concerns.

Versions affected

Affects all versions of GitLab CE/EE

Update Mermaid

The version of Mermaid has been updated to 8.13.10 in order to mitigate
security concerns.

Versions affected

Affects all versions of GitLab CE/EE

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYfyXbONLKJtyKPYoAQjKIA//UHmhisg1jetWBmZBAGFCelTe9w1Qg/ii
Mu0nkGFMhypqzAkUI/34EDHcFhYUV7zQE2XJeotd0xsrJd94fahYilrLwp73TJgk
/ISGyhyqeZrIMxTO0SXhEN7q0k5eAFvptIH8P0tfdSo3SI3GCx0IbwVesQBERvJZ
8++SNz4ved6ilWcB7pknDrLq/v/3YBU2C2fVXP+obYozd1LwY+t6pdMt+1mZ6aIX
h5e7qV5zI4XMxUHoYRP4moZ/OYTK4QKtqh2qaPceUgxBkrbU/+ptzdpPeDZkfHiC
kDrGJoRecXUecCG4pIeqLzZ8wniNenP9NWeiVJyqj8YbYJL/yicsb4/g4Gg5upWp
Yp8eXxew8dqm3WzwvzJ3rIzuUrwcB0jjY2GYyaUBDwjTGtXELAESQUxMl/CfnMIK
v1Xyk48P3mSBwU+zUI4TbJOPBGYO4gyS6M+SONA9+gB8N9qU+7waCtB/rYSLOhSf
02Q+8sy2XILKVsLF3pkbzTjQgiE2/EkLA2vSl1wJGCknI6IYlQ85Rr7rFIkePCZF
yZHGpNNc4zKZaYw04OBs+t25o0pRQlX+yaDkXduUJaWFFtIuJOihalBE6eQVLM71
wM4FFWxlKGbLABfyIb1uyzQUK8hS4jQAj+8KrtZPO0OeaQ0qqqn8GV4zS1qgvrcu
6o/k8rTKijY=
=yQl6
-----END PGP SIGNATURE-----