Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3250 GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5 4 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition (CE) GitLab Enterprise Edition (EE) Publisher: Gitlab Operating System: Windows Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2022-2281 CVE-2022-2270 CVE-2022-2250 CVE-2022-2244 CVE-2022-2243 CVE-2022-2235 CVE-2022-2230 CVE-2022-2229 CVE-2022-2228 CVE-2022-2227 CVE-2022-2185 CVE-2022-1999 CVE-2022-1983 CVE-2022-1981 CVE-2022-1963 CVE-2022-1954 Original Bulletin: https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/ Comment: CVSS (Max): 9.9 CVE-2022-2185 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSS Source: GitlLab Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5 Learn more about GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today we are releasing versions 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for June. These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Table of Fixes Title Severity Remote Command Execution via Project Imports critical XSS in ZenTao integration affecting self hosted instances without high strict CSP XSS in project settings page high Unallowed users can read unprotected CI variables high IP allow-list bypass to access Container Registries medium 2FA status is disclosed to unauthenticated users medium Restrict membership by email domain bypass medium IDOR in sentry issues medium Reporters can manage issues in error tracking medium CI variables provided to runners outside of a group's restricted IP medium range Regular Expression Denial of Service via malicious web server medium responses Unauthorized read for conan repository low Open redirect vulnerability low Group labels are editable through subproject low Release titles visible for any users if group milestones are low associated with any project releases Job information is leaked to users who previously were maintainers via medium the Runner Jobs API endpoint Remote Command Execution via Project Imports A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorised user could import a maliciously crafted project leading to remote code execution. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/ PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9). It is now mitigated in the latest release and is assigned CVE-2022-2185. Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty program. XSS in ZenTao integration affecting self hosted instances without strict CSP Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link. This is a high severity issue (CVSS:3.1/ AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2022-2235. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. XSS in project settings page A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N, 8.1). It is now mitigated in the latest release and is assigned CVE-2022-2230. Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. Unallowed users can read unprotected CI variables An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5). It is now mitigated in the latest release and is assigned CVE-2022-2229. Thanks shell3c for reporting this vulnerability through our HackerOne bug bounty program. IP allow-list bypass to access Container Registries Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/ S:U/C:H/I:H/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1983. This issue was found internally by a member of the GitLab team. 2FA status is disclosed to unauthenticated users An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N /UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-1963. Thanks albatraoz for reporting this vulnerability through our HackerOne bug bounty program. CI variables provided to runners outside of a group's restricted IP range Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/ UI:R/S:U/C:H/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-2228. This vulnerability has been discovered internally by the GitLab team Restrict membership by email domain bypass An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/ PR:H/UI:N/S:U/C:H/I:H/A:N, 5.9). It is now mitigated in the latest release and is assigned CVE-2022-1981. Thanks muthu_prakash for reporting this vulnerability through our HackerOne bug bounty program. IDOR in sentry issues An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0). It is now mitigated in the latest release and is assigned CVE-2022-2243. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Reporters can manage issues in error tracking An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error tracking feature. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N /S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2244. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Regular Expression Denial of Service via malicious web server responses A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1954. Thanks afewgoats for reporting this vulnerability through our HackerOne bug bounty program. Unauthorized read for conan repository An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-2270. Thanks fushbey for reporting this vulnerability through our HackerOne bug bounty program. Open redirect vulnerability An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows redirect users to a malicious location. This is a low severity issue (CVSS:3.1/ AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, 4.7). It is now mitigated in the latest release and is assigned CVE-2022-2250. Thanks stealthy for reporting this vulnerability through our HackerOne bug bounty program. Group labels are editable through subproject An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N /I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-1999. This vulnerability has been discovered internally by the GitLab team. Release titles visible for any users if group milestones are associated with any project releases An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/ S:U/C:L/I:N/A:N, 2.6). It is now mitigated in the latest release and is assigned CVE-2022-2281. Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program. Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N , 3.1). It is now mitigated in the latest release and is assigned CVE-2022-2227. Thanks vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program. Update rack The version of rack has been updated to 2.2.3.1 in order to mitigate security concerns. Versions affected Affects all versions of GitLab CE/EE Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases. GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5 Click to tweet! - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYsKRuckNZI30y1K9AQgOMw//Yo+9GbJTCud5DJQlyyRYzYNw/t0aZmBR Kxp6Ya9LGolKeIWwFXAojBRzGbxFNfbIxDEaavqPCYnVQnu96PCdr75tmUemDRd7 yMeZ1A+2p+4DM+cgWzMz1Ta/7ZUGn2I0G4MshkgH1B34ntOlnJYvAaJrcZ/tU5Oz NpCa6+pbnl/+aOYWL7YkLJ80tdx9jxrNZt0Ml6+0tqPj+CIB75QQbhYpOumWFXTT QJIvTdLFo3Tae6UOp5hx91aySwqNur4fpn0nPASkHI9auzsCpesPXfxJ2833BU0y Rw5RmFTE4rmJqiDum/O14NOKGH6wfzlHiWAMSHc/3NS4QKFJfuIN11PjfEFDCkWP AAr/7XCmeWeL1bQR15FHL7xo0mb5bcI4SB488zjak3c5f+mIDnujjBrEguBQE1t2 wQXMTfBg/hUCCpDfZ0dH8XR1VYAscMaA2icACsqHvCvouwV9xDoQfUGFKHyCDzme QtcNLnJNLsUhtm06ZiPBYHCiJvxue9qi2rwgDVCWIeSXT+NhJ3prQ3SnI/GEnrqA Yly+9dpem7mVTFd6le1IlppWmuiMlvb+X7gSvCDMQURBspDLWSEZS0VEeBU6IiBv qoGwm5NhkFhV64ZINdk8kbZEFMEfTR3msLTNrba46JmmNyf+oDr1VsmMtOF3xPf2 uk1chr9Qz7k= =LfHR -----END PGP SIGNATURE-----