Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5596
GitLab Security Release: 15.5.2, 15.4.4, and 15.3.5
4 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab CE/EE
GitLab Runner
Publisher: GitLab
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-3819 CVE-2022-3818 CVE-2022-3793
CVE-2022-3767 CVE-2022-3726 CVE-2022-3706
CVE-2022-3486 CVE-2022-3483 CVE-2022-3413
CVE-2022-3280 CVE-2022-3265 CVE-2022-2761
CVE-2022-2251
Original Bulletin:
https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/
Comment: CVSS (Max): 7.7 CVE-2022-3767 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVSS Source: GitLab
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Today we are releasing versions 15.5.2, 15.4.4, and 15.3.5 for GitLab Community
Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There
are two types of security releases: a monthly, scheduled security release, released
a week after the feature release (which deploys on the 22nd of each month), and
ad-hoc security releases for critical vulnerabilities. For more information, you
can visit our security FAQ. You can see all of our regular and security release
blog posts here. In addition, the issues detailing each vulnerability are made
public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers
or that host customer data are held to the highest security standards. As part of
maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read
more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a
product is mentioned, this means all types are affected.
+--------------------------------------------------------------+------------+
| Title | Severity |
|--------------------------------------------------------------+------------|
| DAST analyzer sends custom request headers with every | high |
| request | |
| Stored-XSS with CSP-bypass via scoped labels' color | high |
| Maintainer can leak Datadog API key by changing integration | medium |
| URL | |
| Uncontrolled resource consumption when parsing URLs | medium |
| Issue HTTP requests when users view an OpenAPI document and | medium |
| click buttons | |
| Command injection in CI jobs via branch name in CI pipelines | medium |
| Open redirection | medium |
| Prefill variables do not check permission of the project in | medium |
| external CI config | |
| Disclosure of audit events to insufficiently permissioned | medium |
| group and project members | |
| Arbitrary GFM references rendered in Jira issue description | medium |
| leak private/confidential resources | |
| Award emojis API for an internal note is accessible to users | low |
| without access to the note | |
| Open redirect in pipeline artifacts when generating HTML | low |
| documents | |
| Retrying a job in a downstream pipeline allows the retrying | low |
| user to take ownership of the retried jobs in upstream | |
| pipelines | |
| Project-level Secure Files can be written out of the target | low |
| directory | |
+--------------------------------------------------------------+------------+
DAST analyzer sends custom request headers with every request
Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to
3.0.32, allows custom request headers to be sent with every request, regardless
of the host. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, 7.7).
It is now mitigated in the latest release and is assigned CVE-2022-3767.
Stored-XSS with CSP-bypass via scoped labels' color
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all
versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was
possible to exploit a vulnerability in setting the labels colour feature which
could lead to a stored XSS that allowed attackers to perform arbitrary actions
on behalf of victims at client side. This is a high severity issue
(CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N, 7.3). It is now mitigated in the
latest release and is assigned CVE-2022-3265.
Maintainer can leak Datadog API key by changing integration URL
An issue has been discovered in GitLab CE/EE affecting all versions starting
from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all
versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate
a Datadog integration's access token by modifying the integration URL such that
authenticated requests are sent to an attacker controlled server. This is a medium
severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5). It is now
mitigated in the latest release and is assigned CVE-2022-3483.
Uncontrolled resource consumption when parsing URLs
An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE
affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior
to 15.5.2 allows an attacker to cause performance issues and potentially a denial
of service on the GitLab instance. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, 5.3). It is now mitigated in the
latest release and is assigned CVE-2022-3818.
Issue HTTP requests when users view an OpenAPI document and click buttons
Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions
from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows
an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP
requests that affect the victim's account. This is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8). It is now mitigated in the
latest release and is assigned CVE-2022-3726.
Command injection in CI jobs via branch name in CI pipelines
Improper sanitization of branch names in GitLab Runner affecting all versions prior
to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates
a branch with a specially crafted name and gets another user to trigger a pipeline
to execute commands in the runner as that other user. This is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N, 4.8). It is now mitigated in the latest
release and is assigned CVE-2022-2251.
Open redirection
An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior
to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to
redirect users to an arbitrary location if they trust the URL. This is a medium severity
issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, 4.7). It is now mitigated in the
latest release and is assigned CVE-2022-3486.
Prefill variables do not check permission of the project in external CI config
An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior
to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read
variables set directly in a GitLab CI/CD configuration file they don't have access to.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It
is now mitigated in the latest release and is assigned CVE-2022-3793.
Disclosure of audit events to insufficiently permissioned group and project members
Incorrect authorization during display of Audit Events in GitLab EE affecting all
versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2,
allowed Developers to view the project's Audit Events and Developers or Maintainers
to view the group's Audit Events. These should have been restricted to Project
Maintainers, Group Owners, and above. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the
latest release and is assigned CVE-2022-3413.
Arbitrary GFM references rendered in Jira issue description leak private/confidential
resources
An information disclosure issue in GitLab CE/EE affecting all versions from
14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows
an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue
to disclose the names of resources they don't have access to. This is a
medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2022-2761.
Award emojis API for an internal note is accessible to users without access to the note
An improper authorization issue in GitLab CE/EE affecting all versions from
15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows
a malicious users to set emojis on internal notes they don't have access to.
This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5).
It is now mitigated in the latest release and is assigned CVE-2022-3819.
Open redirect in pipeline artifacts when generating HTML documents
An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to
15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker
to trick users into visiting a trustworthy URL and being redirected to
arbitrary content. This is a low severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5). It is now mitigated
in the latest release and is assigned CVE-2022-3280.
Retrying a job in a downstream pipeline allows the retrying user to take ownership
of the retried jobs in upstream pipelines
Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior
to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying
a job in a downstream pipeline to take ownership of the retried jobs in the
upstream pipeline even if the user doesn't have access to that project. This is
a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is
now mitigated in the latest release and is assigned CVE-2022-3706.
Project-level Secure Files can be written out of the target directory
Secure Files named in a specific way could traverse outside of the target directory
in the CI job. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7).
Only GitLab.com was affected as this feature is not yet enabled on self-managed
instances and the patch has been deployed in production.
Update openssl
The version of openssl has been updated to 3.0.2-0ubuntu1.7 in order to mitigate
security concerns.
Update curl
The version of curl has been updated to 7.85.0 in order to mitigate security
concerns.
Update pcre2
The version of pcre2 has been updated to 10.40 in order to mitigate security
concerns.
Non-security fixes
To update GitLab, see the Update page.
To update Gitlab Runner, see the Updating the Runner page.
Updating
To update GitLab, see the Update page.
To update Gitlab Runner, see the Updating the Runner page.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2S4GskNZI30y1K9AQjRXRAAkO3xfSFCSVvAd0fY0LGVdcDD4kBAxpcA
0eCaC0UOWMJ1pVENvIfwbLLzRpAt7utYq+pIpWlRM4RzNToh2wN7CeTmhW7jsoG2
Y0EGuq0gv94IG7evbjQwhzw5WS8RWYLrel56Lnrq9TFS4Np9fLIRDhhmMYX1fSiP
q+tV5YrZnmvXPr8p9nyVYR5QmOWcAt5RlbaZ7w8lK6INknY07s758U45vThYtgYO
ky214UMsQsxRd5BvRw0M/dsoEXuo8BR2JkbXaFA9XwJRlaKkOP7rLNKznyMgwsha
DUbxGDulKakMLAmOPU7bJ/HnJOSLOAC6aHjYUEp7V98R5MehtGL/j1qWLQ64HfF3
hKSIMc0B90uBsSkZn6D4iJXA0tIqy26FoeG4ivh3lAbjT1Qrj20hXV/Itz4tL3Zp
UrZAZG7JlVDgQQZfm6r2FEQGYru6t+k1VDL42S5B5iwbMQjq08oLh763IkPbJ87O
NARZkrafiZ8bVt+R3bhnC5StreyzgGeRgHWiATL/nDN7rTrBCrqc2EjC3Z3w3KBg
56g26Q0tI3F/MFjOS3PpdPz+5jZKsjFhA6+/QA9NZRRN+HnBzwKj1WLPGx5yBKY/
SrmLDEdYoeeg2MmPXq9wiWR6A1gKv0r1KV8vF5XbqInpDX4m+98L9JWhaiArghqn
xDMM9vUFRJs=
=MmhO
-----END PGP SIGNATURE-----