Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5596 GitLab Security Release: 15.5.2, 15.4.4, and 15.3.5 4 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab CE/EE GitLab Runner Publisher: GitLab Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-3819 CVE-2022-3818 CVE-2022-3793 CVE-2022-3767 CVE-2022-3726 CVE-2022-3706 CVE-2022-3486 CVE-2022-3483 CVE-2022-3413 CVE-2022-3280 CVE-2022-3265 CVE-2022-2761 CVE-2022-2251 Original Bulletin: https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/ Comment: CVSS (Max): 7.7 CVE-2022-3767 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) CVSS Source: GitLab Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Today we are releasing versions 15.5.2, 15.4.4, and 15.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. +--------------------------------------------------------------+------------+ | Title | Severity | |--------------------------------------------------------------+------------| | DAST analyzer sends custom request headers with every | high | | request | | | Stored-XSS with CSP-bypass via scoped labels' color | high | | Maintainer can leak Datadog API key by changing integration | medium | | URL | | | Uncontrolled resource consumption when parsing URLs | medium | | Issue HTTP requests when users view an OpenAPI document and | medium | | click buttons | | | Command injection in CI jobs via branch name in CI pipelines | medium | | Open redirection | medium | | Prefill variables do not check permission of the project in | medium | | external CI config | | | Disclosure of audit events to insufficiently permissioned | medium | | group and project members | | | Arbitrary GFM references rendered in Jira issue description | medium | | leak private/confidential resources | | | Award emojis API for an internal note is accessible to users | low | | without access to the note | | | Open redirect in pipeline artifacts when generating HTML | low | | documents | | | Retrying a job in a downstream pipeline allows the retrying | low | | user to take ownership of the retried jobs in upstream | | | pipelines | | | Project-level Secure Files can be written out of the target | low | | directory | | +--------------------------------------------------------------+------------+ DAST analyzer sends custom request headers with every request Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, 7.7). It is now mitigated in the latest release and is assigned CVE-2022-3767. Stored-XSS with CSP-bypass via scoped labels' color A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N, 7.3). It is now mitigated in the latest release and is assigned CVE-2022-3265. Maintainer can leak Datadog API key by changing integration URL An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5). It is now mitigated in the latest release and is assigned CVE-2022-3483. Uncontrolled resource consumption when parsing URLs An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-3818. Issue HTTP requests when users view an OpenAPI document and click buttons Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8). It is now mitigated in the latest release and is assigned CVE-2022-3726. Command injection in CI jobs via branch name in CI pipelines Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that other user. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N, 4.8). It is now mitigated in the latest release and is assigned CVE-2022-2251. Open redirection An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, 4.7). It is now mitigated in the latest release and is assigned CVE-2022-3486. Prefill variables do not check permission of the project in external CI config An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3793. Disclosure of audit events to insufficiently permissioned group and project members Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3413. Arbitrary GFM references rendered in Jira issue description leak private/confidential resources An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2761. Award emojis API for an internal note is accessible to users without access to the note An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-3819. Open redirect in pipeline artifacts when generating HTML documents An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-3280. Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-3706. Project-level Secure Files can be written out of the target directory Secure Files named in a specific way could traverse outside of the target directory in the CI job. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7). Only GitLab.com was affected as this feature is not yet enabled on self-managed instances and the patch has been deployed in production. Update openssl The version of openssl has been updated to 3.0.2-0ubuntu1.7 in order to mitigate security concerns. Update curl The version of curl has been updated to 7.85.0 in order to mitigate security concerns. Update pcre2 The version of pcre2 has been updated to 10.40 in order to mitigate security concerns. Non-security fixes To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2S4GskNZI30y1K9AQjRXRAAkO3xfSFCSVvAd0fY0LGVdcDD4kBAxpcA 0eCaC0UOWMJ1pVENvIfwbLLzRpAt7utYq+pIpWlRM4RzNToh2wN7CeTmhW7jsoG2 Y0EGuq0gv94IG7evbjQwhzw5WS8RWYLrel56Lnrq9TFS4Np9fLIRDhhmMYX1fSiP q+tV5YrZnmvXPr8p9nyVYR5QmOWcAt5RlbaZ7w8lK6INknY07s758U45vThYtgYO ky214UMsQsxRd5BvRw0M/dsoEXuo8BR2JkbXaFA9XwJRlaKkOP7rLNKznyMgwsha DUbxGDulKakMLAmOPU7bJ/HnJOSLOAC6aHjYUEp7V98R5MehtGL/j1qWLQ64HfF3 hKSIMc0B90uBsSkZn6D4iJXA0tIqy26FoeG4ivh3lAbjT1Qrj20hXV/Itz4tL3Zp UrZAZG7JlVDgQQZfm6r2FEQGYru6t+k1VDL42S5B5iwbMQjq08oLh763IkPbJ87O NARZkrafiZ8bVt+R3bhnC5StreyzgGeRgHWiATL/nDN7rTrBCrqc2EjC3Z3w3KBg 56g26Q0tI3F/MFjOS3PpdPz+5jZKsjFhA6+/QA9NZRRN+HnBzwKj1WLPGx5yBKY/ SrmLDEdYoeeg2MmPXq9wiWR6A1gKv0r1KV8vF5XbqInpDX4m+98L9JWhaiArghqn xDMM9vUFRJs= =MmhO -----END PGP SIGNATURE-----