Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1405 GitLab Critical Security Release: 15.9.2, 15.8.4 and 15.7.8 7 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition (CE) GitLab Enterprise Edition (EE) Publisher: GitLab Operating System: Windows Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2023-1084 CVE-2023-1072 CVE-2023-0483 CVE-2023-0223 CVE-2023-0050 CVE-2022-4462 CVE-2022-4331 CVE-2022-4289 CVE-2022-4007 CVE-2022-3758 CVE-2022-3381 Original Bulletin: https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released Comment: CVSS (Max): 8.7 CVE-2023-0050 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) CVSS Source: GitLab Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- GitLab Security Release: 15.9.2, 15.8.4, and 15.7.8 Learn more about GitLab Security Release: 15.9.2, 15.8.4, and 15.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today we are releasing versions 15.9.2, 15.8.4, and 15.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Table of Fixes Title Severity Stored XSS via Kroki diagram high Prometheus integration Google IAP details are not hidden, may leak medium account details from instance/group/project settings Improper validation of SSO and SCIM tokens while managing groups medium Maintainer can leak Datadog API key by changing Datadog site medium Clipboard based XSS in the title field of work items medium Improper user right checks for personal snippets medium Release Description visible in public projects despite release set as medium project members only Group integration settings sensitive information exposed to project medium maintainers Improve pagination limits for commits medium Gitlab Open Redirect Vulnerability medium Maintainer may become an Owner of a project low Stored XSS via Kroki diagram An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L /PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-0050. Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty program. Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, 6.4). It is now mitigated in the latest release and is assigned CVE-2022-4289. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Improper validation of SSO and SCIM tokens while managing groups An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N, 5.7). It is now mitigated in the latest release and is assigned CVE-2022-4331. Thanks vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program. Maintainer can leak Datadog API key by changing Datadog site An issue has been discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible for a project maintainer to extract a Datadog integration API key by modifying the site. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5). It is now mitigated in the latest release and is assigned CVE-2023-0483. Thanks akadrian for reporting this vulnerability through our HackerOne bug bounty program. Clipboard based XSS in the title field of work items A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/ C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-4007. Thanks ryotak for reporting this vulnerability through our HackerOne bug bounty program. Improper user right checks for personal snippets An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-3758. Thanks cryptopone for reporting this vulnerability through our HackerOne bug bounty program. Release Description visible in public projects despite release set as project members only An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-0223. Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program. Group integration settings sensitive information exposed to project maintainers An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0). It is now mitigated in the latest release and is assigned CVE-2022-4462. Thanks vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program. Improve pagination limits for commits An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/ S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1072. Thanks Nico Jones for reporting this vulnerability. Gitlab Open Redirect Vulnerability An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3381. Thanks burpheart for reporting this vulnerability through our HackerOne bug bounty program. Maintainer may become an Owner of a project An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7). It is now mitigated in the latest release and is assigned CVE-2023-1084. Thanks @shubham_sohi for reporting this vulnerability through our HackerOne bug bounty program. Update libksba libksba and libksba_project have been updated to version 1.6.3 to mitigate potential security issues. Update gnupg gnupg has been updated to 2.2.41 to mitigate potential security issues. Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases. GitLab Security Release: 15.9.2, 15.8.4, and 15.7.8 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZAblrskNZI30y1K9AQhSug//cE8N/vxl88jMvX4sT9ukFlaY9qCNAHTo ZoIWdyc1418X38bKdtrD4nEG2ne7+OlYdwLi+/pmSYVfLcgIxMEvHKQx40sHoPTz UCxDIWw7xxLWxsbZrNNR3qeGcVUE2BDoyZZMbZ1y0o3UhE+MZOVr9DcHR9PtvOdL Ak9TyGtcKv5KULz1fgNo+PjIb9ECNwHuYb4xz4MDUvhZDjoi1RfJzlVaHdq0kMR1 yE5k0kBGYUjH9YDApq+y09w7Sap7pO8EImk8v8Qn/AqxT74PnmiPH1hboHF68dof 7v242ex52DuRovn7eSxUimcyHF1lWLqawWj94dOegm4qDxE6HARzqCfHeiDL0lVE SWXGe6rERGvC7UCC0hlXinZkniOj4FF/2YFHal8mHYeMFFqzGbFoL4L5sd5WS66j E8uWllXIRZe7u8CinDgZyYp+UnIGr9xWEIzGeSjVJamDoBvcvW8CWHoku8d4F915 uQ+EVr81G8cBDsg+sX3dQ2r8rPjmFMATra+APpjfn6vUPX3II6rll5o2B1qzgsWC xIrdl2G1LpanVRjZQ3ONQ2FMCZnI1teTkbKZa52T45KJonuLbuDX58c33ehUlABG 5Jve+z85KUH7ZxVGaCqyuJVkK8WJdNJHo3Oj138IUb/nWkEuAVlkKl63dqBaADwa G0r0tTi9VQc= =hfEr -----END PGP SIGNATURE-----