Operating System:

[WIN][LINUX][Virtual]

Published:

12 April 2018

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ASB-2018.0076 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0076
            GitLab releases security update for XSS, data leak
                               12 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              GitLab
Operating System:     Windows
                      Linux variants
                      Virtualisation
Impact/Access:        Cross-site Scripting     -- Existing Account
                      Access Confidential Data -- Existing Account
Resolution:           Patch/Upgrade
Member content until: Saturday, May 12 2018

OVERVIEW

        Multiple vulnerabilities have been identified in GitLab Community 
        Edition (CE) and Enterprise Edition (EE) prior to versions 10.6.3,
        10.5.7, and 10.4.7. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "Confidential issue comments in Slack, Mattermost, and webhook integrations
        
        Comments on confidential issues were previously sent to webhooks and
        integrations when notifications were configured to send notes or comments.
        This applied to custom webhooks, Slack, and Mattermost notifications.
        
        We've introduced a new option to control the sending of confidential notes
        as well as an option for specifying a different channel for Slack and Mattermost.
        
        Versions Affected
        
        Affects GitLab CE/EE 8.6 and up.
        
        
        Persistent XSS in milestones data-milestone-id
        
        The milestone dropdown feature contained a persistent XSS issue that is now
        resolved in the latest release. This issue has been assigned CVE-2018-9244.
        
        Thanks to fransrosen for responsibly reporting this vulnerability to us.
        
        Versions Affected
        
        Affects GitLab CE/EE 9.2 and up.
        
        
        Persistent XSS in filename of merge request
        
        Filenames in the changes tab contained a persistent XSS issue that is now
        resolved in the latest release. This issue has been assigned CVE-2018-9243.
        
        Thanks to fransrosen for responsibly reporting this vulnerability to us."
        [1]


MITIGATION

        The vendor strongly recommends users upgrade to the latest versions
        to fix these issues. [1]


REFERENCES

        [1] GitLab Security Release: 10.6.3, 10.5.7, and 10.4.7
            https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWs62pox+lLeg9Ub1AQiCiA/+P3o7y9gfgoR02re3jfaj+LMJ6VVEfxT/
5K2U1xrh20gexh/oPzE8E0IXCtaR+KjQcB7hlj9LIUaiIX7NeYJNxn4ar2iEhZMF
MPLi/BIl3sXW9HwGh9g9KCONHY+fHLdpS7RwYBh3bpXIiOljNQnUrW5kZH5rDO2V
jnRoEA/gT+UkIXZfKbNFy36XgRUuHNgEKxZWUyTbyTUYyJNbxHe+dCEUwM9PpWCE
AX30f6zpVb5irSigL2GG1sJOoDrgeTW/C3nmu/gKL2SkwBR47HKU2Zc/vDdPdW0k
RADL1oo0x45QN4VCz1IpHO1WVh6AbcGi5Ey5ZkMj0/K4qVyekLecvn42/jEfMAQu
thshlxo2rElbi9aN+x3Ed1k60yfeibtHhusPYY3F8KflToIB79zPI1ukfjE3eeqw
4GtV3f3kgq1FFmqrWLMaYZ1X9TBg9tnqY9EZYH/XVcAHMKtaLy+R3OO+hdEwOqnM
78jQOrQw1BtQNBNHArgXzlubEwhmP1nfdAHWPzWVOMEb2uXvpQTtqvCzq0CBi7x0
qwqkOh7BtREwljdHjockScjFimolhuRohAcJC+rpbyZmNkjAtfPlkXZFA5SKSk1j
rp5ePMYawjDwqNZOukH7eK9teBb34w3mMEnW+yVd3quEsK6LMonY5BI9uJdn1i9X
ClKwXifItXU=
=9eQv
-----END PGP SIGNATURE-----