Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0001
GitLab Security Release: 11.6.1, 11.5.6, 11.4.13
3 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition
GitLab Enterprise Edition
Operating System: Windows
Linux variants
Virtualisation
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-20507 CVE-2018-20501 CVE-2018-20500
CVE-2018-20499 CVE-2018-20498 CVE-2018-20497
CVE-2018-20496 CVE-2018-20495 CVE-2018-20494
CVE-2018-20493 CVE-2018-20492 CVE-2018-20491
CVE-2018-20490 CVE-2018-20489 CVE-2018-20488
Member content until: Saturday, February 2 2019
OVERVIEW
Vulnerabilities have been discovered in GitLab Community Edition
(CE) and Enterprise Edition (EE) prior to versions 11.6.1, 11.5.6,
and 11.4.13. [1]
IMPACT
The vendor has provided the following information regarding the
vulnerability:
"Source code disclosure merge request diff
The merge request diff feature was missing an authorization control
which resulted in source code disclosure of public or internal
projects with a repository available to team members only. The issue
is now mitigated in the latest release and is assigned
CVE-2018-20493.
Thanks to @ngalog for responsibly reporting this vulnerability to
us.
Todos improper access control
The todos component was vulnerable to an improper access control
issue which could've resulted in access to confidential issues or
merge requests. The issue is now mitigated in the latest release and
is assigned CVE-2018-20492.
Thanks to @xanbanx for responsibly reporting this vulnerability to
us.
URL rel attribute not set
The rel attribute was not set for some URLs in a markdown field. The
issue is now mitigated in the latest release and is assigned
CVE-2018-20489.
Thanks to @jobert from HackerOne for responsibly reporting this
vulnerability to us.
Persistent XSS Autocompletion
An attribute used in autocompletion contained an input validation
and output encoding issue which resulted in a persistent XSS. The
issue is now mitigated in the latest release and is assigned
CVE-2018-20490.
Thanks to @jouko for responsibly reporting this vulnerability to us.
SSRF repository mirroring
The repository mirroring feature was vulnerable to an SSRF issue. It
is now mitigated in the latest release and is assigned
CVE-2018-20497.
Thanks to @ngalog for responsibly reporting this vulnerability to
us.
By default, this fix forbids importing projects or mirroring
repositories in the same network. In order to allow URLs pointing to
the local network, the option located in Admin > Settings > Network
> Outbound requests > Allow requests to the local network from hooks
and services has to be enabled.
CI job token LFS error message disclosure
The CI job token was being disclosed in the job output due to an LFS
error message. It is now mitigated in the latest release and is
assigned CVE-2018-20495.
Thanks to Damian Nowak for responsibly reporting this vulnerability
to us.
Secret CI variable exposure
Secret CI variables can be exposed by creating a tag with the same
name as an existing protected branch. This issue is now mitigated in
the latest release and is assigned CVE-2018-20488.
Guest user CI job disclosure
The CI jobs API endpoint contained an improper access control issue
which resulted in guest users being able to access job information.
This issue is now mitigated in the latest release and is assigned
CVE-2018-20494.
Thanks to @xanbanx for responsibly reporting this vulnerability to
us.
Persistent XSS label reference
The markdown label references feature contained a lack of input
validation and output encoding issue which resulted in a persistent
XSS. This issue is now mitigated in the latest release and is
assigned CVE-2018-20496.
Thanks to @jouko for responsibly reporting this vulnerability to us.
Persistent XSS wiki in IE browser
A persistent XSS issue was discovered in wiki markdown pages due to
an issue of how Internet Explorer treats a certain configuration of
the CSP header. This issue is now mitigated in the latest release
and is assigned CVE-2018-20491.
Thanks to @ruvlol for responsibly reporting this vulnerability to
us.
SSRF in project imports with LFS
The project imports feature was vulnerable to an SSRF issue which
allowed an attacker to make requests to any local network resource
accessible from the GitLab server. This issue is now mitigated in
the latest release and is assigned CVE-2018-20499.
Thanks to @nyangawa of Chaitin Tech for responsibly reporting this
vulnerability to us.
Improper access control CI/CD settings
The CI/CD settings contained an issue where the runner registration
token could not be reset. This was a security risk if one of the
maintainers leaves the group and they know the token. This issue is
now mitigated in the latest release and is assigned CVE-2018-20500.
Thanks to @ngalog for responsibly reporting this vulnerability to
us.
Missing authorization control merge requests
A project member that has been removed from a private project
retains control over the state, assignee, milestones, and labels of
a merge request and issue. It is now mitigated in the latest release
and is assigned CVE-2018-20501.
Thanks to @jobert from HackerOne for responsibly reporting this
vulnerability to us.
Improper access control branches and tags
Guest users were able to view branches and tag names, which is
normally forbidden. The issue is now mitigated in the latest release
and is assigned CVE-2018-20498.
Thanks to @bull for responsibly reporting this vulnerability to us.
Missing authentication for Prometheus alert endpoint
The GitLab Prometheus integration alert endpoint was lacking
authentication which could result in falsely generated notification
emails. The issue is now mitigated in the latest release and is
assigned CVE-2018-20507." [1]
MITIGATION
GitLab versions 11.6.1, 11.5.6 and 11.4.13 have been released which
address these vulnerabilities. [1]
REFERENCES
[1] GitLab Security Release: 11.6.1, 11.5.6, 11.4.13
https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXC1awWaOgq3Tt24GAQjvag//TrCYu//zCryXXG5bYGg2JSw1Txz9DopA
UMkHlJ6XDAoH9oqk965qS54fy3kdj4GFJiuXL6oH4H/gGln0tSy57zLdCLUmMpH1
idLxIgR5oAY6IJeXSiSbGcpZKE4YezOxs8AryeVUvh9D/R9GDrEwGP8YSIhXYRmR
MlE3H2ckL8k6Z4xeXpG32gLGH8/X+AVEV8nkkg/b+V6LGE1GOwn6m+Dd5FMRzmke
RNbNM+ml7zLpz1KMt3GMOu2XCRIIxnTHstRrlcWfUcAfPwj65VCbZgwx9eew3H7R
Ut8oMy5OqpZcjfzV6Yt76UNQDydtWG0iCHUUcn0GC82QI+TbJ79BiWvjrEM5uUId
VUDnm639b3txpk3nG3EUXcurSfWgpftX4ePLGCn+j2fnOpU4NFPUx/yKrWdks+jn
9abm6BgewuDyBK/UxTTmiBcdjpvjNeBDJVHdJnZC3xIa4A/U9AH9ZBpY76Qx12F8
Dpjy00wt8IavcjNxdE5vE+0Cb+Z5gnxlFk0EMPgE0w3vVWmZTlPrXKVMsAVRqJuE
skZ+cU3Tc+I/31bC/OZCP2vOv2dBl2tDDEwyzfNfT0Cvf/LnQWce2QfhfMxZy37L
jIMUZyd8hzX7DwuIg7tlMpr/ynZpJtT92EeRrTw+6UYd0kFlrdIXcjrkXwFvVV3o
8/xRapK46Ck=
=v2eR
-----END PGP SIGNATURE-----