En

GitLab官网安全更新(2021-09-30)

来源:GitLab官网 发布日期:2021-09-30 阅读次数:9270 评论:0

基本信息

发布日期:2021-09-30(官方当地时间)

更新类型:安全更新

更新版本:14.3.1;14.2.5;14.1.7

感知时间:2021-10-01 00:17:12

风险等级:未知

情报贡献:TSRC

更新标题

GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7

更新详情

Today we are releasing versions 14.3.1, 14.2.5, and 14.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

Table of Fixes




Title
Severity




Stored XSS in merge request creation page
high


Denial-of-service attack in Markdown parser
high


Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown
high


DNS Rebinding vulnerability in Gitea importer
medium


Exposure of trigger tokens on project exports
medium


Improper access control for users with expired password
medium


Access tokens are not cleared after impersonation
medium


Reflected Cross-Site Scripting in Jira Integration
medium


DNS Rebinding vulnerability in Fogbugz importer
medium


Access tokens persist after project deletion
medium


User enumeration vulnerability
medium


Potential DOS via API requests
medium


Pending invitations of public groups and public projects are visible to any user
medium


Bypass Disabled Repo by URL Project Creation
medium


Low privileged users can see names of the private groups shared in projects
medium


API discloses sensitive info to low privileged users
medium


Epic listing do not honour group memberships
medium


Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed
medium


Low privileged users can import users from projects that they they are not a maintainer on
medium


Potential DOS via dependencies API
medium


Create a project with unlimited repository size through malicious Project Import
medium


Bypass disabled Bitbucket Server import source project creation
medium


Requirement to enforce 2FA is not honored when using git commands
medium


Content spoofing vulnerability
medium


Improper session management in impersonation feature
low


Create OAuth application with arbitrary scopes through content spoofing
low


Lack of account lockout on change password functionality
low


Epic reference was not updated while moved between groups
low


Missing authentication allows disabling of two-factor authentication
low


Information disclosure in SendEntry
low




Stored XSS in merge request creation page

A Stored XSS in merge request creation page in Gitlab EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-39885.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Denial-of-service attack in Markdown parser

A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H, 7.7). It is now mitigated in the latest release and is assigned CVE-2021-39877.

Thanks phill for reporting this vulnerability through our HackerOne bug bounty program.

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3). It is now mitigated in the latest release and is assigned CVE-2021-39887.

Thanks saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.

DNS Rebinding vulnerability in Gitea importer

In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39867.

This issue was found internally by a member of the GitLab team.

Exposure of trigger tokens on project exports

In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39869.

Thanks @mishre for reporting this vulnerability through our HackerOne bug bounty program.

Improper access control for users with expired password

In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39872.

Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.

Access tokens are not cleared after impersonation

In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, 5.9). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability was found internally by a member of the GitLab team.

Reflected Cross-Site Scripting in Jira Integration

A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N, 5.8). It is now mitigated in the latest release and is assigned CVE-2021-39878.

Thanks ooooooo_q for reporting this vulnerability through our HackerOne bug bounty program.

DNS Rebinding vulnerability in Fogbugz importer

In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability was discovered internally by the GitLab team.

Access tokens persist after project deletion

A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2021-39866.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

User enumeration vulnerability

In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39882.

This issue was found internally by a member of the GitLab team.

Potential DOS via API requests

A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, 5.3). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Pending invitations of public groups and public projects are visible to any user

In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39875.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Bypass Disabled Repo by URL Project Creation

In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39870.

Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.

Low privileged users can see names of the private groups shared in projects

In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39884.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

API discloses sensitive info to low privileged users

In all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.

Thanks @0xn3va for reporting this vulnerability through our HackerOne bug bounty program.

Epic listing do not honour group memberships

Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39883.

This vulnerability has been discovered internally by the GitLab team.

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Low privileged users can import users from projects that they they are not a maintainer on

In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Potential DOS via dependencies API

A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22259.

This vulnerability has been discovered internally by the GitLab team.

Create a project with unlimited repository size through malicious Project Import

In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39868.

Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.

Bypass disabled Bitbucket Server import source project creation

In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39871.

This issue was discovered internally by a member of the GitLab team.

Requirement to enforce 2FA is not honored when using git commands

In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39874.

Thanks @melar_dev for reporting this vulnerability through our HackerOne bug bounty program.

Content spoofing vulnerability

In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39873.

Thanks @w00t1 for reporting this vulnerability through our HackerOne bug bounty program.

Improper session management in impersonation feature

In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N, 3.8). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability was reported to GitLab by a customer.

Create OAuth application with arbitrary scopes through content spoofing

In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2021-39881.

Thanks @executor for reporting this vulnerability through our HackerOne bug bounty program.

Lack of account lockout on change password functionality

In all versions of GitLab CE/EE, an attacker with access to a user’s session may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by splitting the attack over several IP addresses. This is a low severity issue (CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N, 2.9). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability was discovered internally by the GitLab team.

Epic reference was not updated while moved between groups

Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6). It is now mitigated in the latest release and is assigned CVE-2021-39886.

This vulnerability was discovered internally by the GitLab team.

Missing authentication allows disabling of two-factor authentication

Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication. This is a low severity issue (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N, 2.2). It is now mitigated in the latest release and is assigned CVE-2021-39879.

This vulnerability has been discovered internally by the GitLab team.

Information disclosure in SendEntry

Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N, 2.0). We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Updating

To update GitLab, see the Update page.
To update Gitlab Runner, see the Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page.
To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.

软件描述

GitLab 是一个用于仓库管理系统的开源项目,使用Git作为代码管理工具,并在此基础上搭建起来的web服务。安装方法是参考GitLab在GitHub上的Wiki页面。

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入