Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.1405
GitLab Critical Security Release: 15.9.2, 15.8.4 and 15.7.8
7 March 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Publisher: GitLab
Operating System: Windows
Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2023-1084 CVE-2023-1072 CVE-2023-0483
CVE-2023-0223 CVE-2023-0050 CVE-2022-4462
CVE-2022-4331 CVE-2022-4289 CVE-2022-4007
CVE-2022-3758 CVE-2022-3381
Original Bulletin:
https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released
Comment: CVSS (Max): 8.7 CVE-2023-0050 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVSS Source: GitLab
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
GitLab Security Release: 15.9.2, 15.8.4, and 15.7.8
Learn more about GitLab Security Release: 15.9.2, 15.8.4, and 15.7.8 for GitLab
Community Edition (CE) and Enterprise Edition (EE).
Today we are releasing versions 15.9.2, 15.8.4, and 15.7.8 for GitLab Community
Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a
product is mentioned, this means all types are affected.
Table of Fixes
Title Severity
Stored XSS via Kroki diagram high
Prometheus integration Google IAP details are not hidden, may leak medium
account details from instance/group/project settings
Improper validation of SSO and SCIM tokens while managing groups medium
Maintainer can leak Datadog API key by changing Datadog site medium
Clipboard based XSS in the title field of work items medium
Improper user right checks for personal snippets medium
Release Description visible in public projects despite release set as medium
project members only
Group integration settings sensitive information exposed to project medium
maintainers
Improve pagination limits for commits medium
Gitlab Open Redirect Vulnerability medium
Maintainer may become an Owner of a project low
Stored XSS via Kroki diagram
An issue has been discovered in GitLab affecting all versions starting from
13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions
starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead
to a stored XSS on the client side which allows attackers to perform arbitrary
actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L
/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and
is assigned CVE-2023-0050.
Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty
program.
Prometheus integration Google IAP details are not hidden, may leak account
details from instance/group/project settings
An issue has been discovered in GitLab affecting all versions starting from
15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before
15.9.2. Google IAP details in Prometheus integration were not hidden, could be
leaked from instance, group, or project settings to other users. This is a
medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, 6.4). It
is now mitigated in the latest release and is assigned CVE-2022-4289.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.
Improper validation of SSO and SCIM tokens while managing groups
An issue has been discovered in GitLab EE affecting all versions starting from
15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions
starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is
transferred to a new namespace as a child group, it's possible previously
removed malicious maintainer or owner of the child group can still gain access
to the group via SSO or a SCIM token to perform actions on the group. This is a
medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N, 5.7). It
is now mitigated in the latest release and is assigned CVE-2022-4331.
Thanks vaib25vicky for reporting this vulnerability through our HackerOne bug
bounty program.
Maintainer can leak Datadog API key by changing Datadog site
An issue has been discovered in GitLab affecting all versions starting from
12.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions
starting from 15.9 before 15.9.2. It was possible for a project maintainer to
extract a Datadog integration API key by modifying the site. This is a medium
severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5). It is now
mitigated in the latest release and is assigned CVE-2023-0483.
Thanks akadrian for reporting this vulnerability through our HackerOne bug
bounty program.
Clipboard based XSS in the title field of work items
A issue has been discovered in GitLab CE/EE affecting all versions from 15.3
prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2
A cross-site scripting vulnerability was found in the title field of work items
that allowed attackers to perform arbitrary actions on behalf of victims at
client side. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/
C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned
CVE-2022-4007.
Thanks ryotak for reporting this vulnerability through our HackerOne bug bounty
program.
Improper user right checks for personal snippets
An issue has been discovered in GitLab affecting all versions starting from
15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions
starting from 15.9 before 15.9.2. Due to improper permissions checks an
unauthorised user was able to read, add or edit a users private snippet. This
is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4).
It is now mitigated in the latest release and is assigned CVE-2022-3758.
Thanks cryptopone for reporting this vulnerability through our HackerOne bug
bounty program.
Release Description visible in public projects despite release set as project
members only
An issue has been discovered in GitLab affecting all versions starting from
15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions
starting from 15.9 before 15.9.2. Non-project members could retrieve release
descriptions via the API, even if the release visibility is restricted to
project members only in the project settings. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the
latest release and is assigned CVE-2023-0223.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne
bug bounty program.
Group integration settings sensitive information exposed to project maintainers
An issue has been discovered in GitLab affecting all versions starting from
12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions
starting from 15.9 before 15.9.2. This vulnerability could allow a user to
unmask the Discord Webhook URL through viewing the raw API response. This is a
medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0). It
is now mitigated in the latest release and is assigned CVE-2022-4462.
Thanks vaib25vicky for reporting this vulnerability through our HackerOne bug
bounty program.
Improve pagination limits for commits
An issue has been discovered in GitLab affecting all versions starting from 9.0
before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions
starting from 15.9 before 15.9.2. It was possible to trigger a resource
depletion attack due to improper filtering for number of requests to read
commits details. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/
S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is
assigned CVE-2023-1072.
Thanks Nico Jones for reporting this vulnerability.
Gitlab Open Redirect Vulnerability
An issue has been discovered in GitLab affecting all versions starting from
10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL
could be used to redirect users to arbitrary sites. This is a medium severity
issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, 4.3). It is now mitigated
in the latest release and is assigned CVE-2022-3381.
Thanks burpheart for reporting this vulnerability through our HackerOne bug
bounty program.
Maintainer may become an Owner of a project
An issue has been discovered in GitLab CE/EE affecting all versions before
15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting
from 15.9 before 15.9.2. A malicious project Maintainer may create a Project
Access Token with Owner level privileges using a crafted request. This is a low
severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7). It is now
mitigated in the latest release and is assigned CVE-2023-1084.
Thanks @shubham_sohi for reporting this vulnerability through our HackerOne bug
bounty program.
Update libksba
libksba and libksba_project have been updated to version 1.6.3 to mitigate
potential security issues.
Update gnupg
gnupg has been updated to 2.2.41 to mitigate potential security issues.
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.
Receive Security Release Notifications
To receive security release blog notifications delivered to your inbox, visit
our contact us page. To receive release notifications via RSS, subscribe to our
security release RSS feed or our RSS feed for all releases.
GitLab Security Release: 15.9.2, 15.8.4, and 15.7.8
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZAblrskNZI30y1K9AQhSug//cE8N/vxl88jMvX4sT9ukFlaY9qCNAHTo
ZoIWdyc1418X38bKdtrD4nEG2ne7+OlYdwLi+/pmSYVfLcgIxMEvHKQx40sHoPTz
UCxDIWw7xxLWxsbZrNNR3qeGcVUE2BDoyZZMbZ1y0o3UhE+MZOVr9DcHR9PtvOdL
Ak9TyGtcKv5KULz1fgNo+PjIb9ECNwHuYb4xz4MDUvhZDjoi1RfJzlVaHdq0kMR1
yE5k0kBGYUjH9YDApq+y09w7Sap7pO8EImk8v8Qn/AqxT74PnmiPH1hboHF68dof
7v242ex52DuRovn7eSxUimcyHF1lWLqawWj94dOegm4qDxE6HARzqCfHeiDL0lVE
SWXGe6rERGvC7UCC0hlXinZkniOj4FF/2YFHal8mHYeMFFqzGbFoL4L5sd5WS66j
E8uWllXIRZe7u8CinDgZyYp+UnIGr9xWEIzGeSjVJamDoBvcvW8CWHoku8d4F915
uQ+EVr81G8cBDsg+sX3dQ2r8rPjmFMATra+APpjfn6vUPX3II6rll5o2B1qzgsWC
xIrdl2G1LpanVRjZQ3ONQ2FMCZnI1teTkbKZa52T45KJonuLbuDX58c33ehUlABG
5Jve+z85KUH7ZxVGaCqyuJVkK8WJdNJHo3Oj138IUb/nWkEuAVlkKl63dqBaADwa
G0r0tTi9VQc=
=hfEr
-----END PGP SIGNATURE-----