-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0226
           GitLab Security Release: 12.1.2, 12.0.4, and 11.11.7
                               2 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              GitLab Community Edition
                      GitLab Enterprise Edition
Operating System:     Linux variants
                      Windows
Impact/Access:        Create Arbitrary Files         -- Existing Account            
                      Cross-site Scripting           -- Existing Account            
                      Denial of Service              -- Existing Account            
                      Provide Misleading Information -- Remote with User Interaction
                      Access Confidential Data       -- Remote/Unauthenticated      
                      Unauthorised Access            -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-5474 CVE-2019-5473 CVE-2019-5472
                      CVE-2019-5471 CVE-2019-5470 CVE-2019-5469
                      CVE-2019-5468 CVE-2019-5467 CVE-2019-5466
                      CVE-2019-5465 CVE-2019-5464 CVE-2019-5463
                      CVE-2019-5462 CVE-2019-5461 
Member content until: Sunday, September  1 2019

OVERVIEW

        Multiple vulnerabilities have been addressed in GitLab versions 
        12.1.2, 12.0.4, and 11.11.7. [1]


IMPACT

        The vendor has supplied the following information regarding the 
        vulnerabilities:
        
        "GitHub Integration SSRF
        
        An input validation problem was discovered in the GitHub service 
        integration which could result in an attacker being able to make 
        arbitrary POST requests in a GitLab instance's internal network. The
        issue is now mitigated in the latest release and is assigned 
        CVE-2019-5461.
        
        Thanks to @jobert for responsibly reporting this vulnerability to 
        us.
        
        Versions Affected
        
        Affects GitLab CE/EE 10.6 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Trigger Token Impersonation
        
        An authorization issue was discovered when trigger tokens are not 
        rotated once ownership of them has changed. The issue is now 
        mitigated in the latest release and is assigned CVE-2019-5462.
        
        Thanks to @ashish_r_padelkar for responsibly reporting this 
        vulnerability to us.
        
        Versions Affected
        
        Affects GitLab CE/EE 9.0 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Build Status Disclosure
        
        An authorization issue was discovered in the CI badge images 
        endpoint which could result in disclosure of the build status. The 
        issue is now mitigated in the latest release and is assigned 
        CVE-2019-5463.
        
        Thanks to @xanbanx for responsibly reporting this vulnerability to 
        us.
        
        Versions Affected
        
        Affects all previous GitLab CE/EE versions.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        SSRF Mitigation Bypass
        
        A flawed DNS rebinding protection issue was discovered in 
        url_blocker.rb which could result in SSRF where the library is 
        utilized. The issue is now mitigated in the latest release and is 
        assigned CVE-2019-5464.
        
        Thanks to @mclaren650sspider for responsibly reporting this 
        vulnerability to us.
        
        Versions Affected
        
        Affects GitLab CE/EE 10.2 and later. Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Information Disclosure New Issue ID
        
        An authorization issue was discovered in the move issue feature 
        which could result in disclosure of the newly created issue ID. The
        issue is now mitigated in the latest release and is assigned 
        CVE-2019-5465.
        
        Thanks to @ashish_r_padelkar for responsibly reporting this 
        vulnerability to us.
        
        Versions Affected
        
        Affects GitLab CE/EE 8.14 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        IDOR Label Name Enumeration
        
        An IDOR was discovered in the new merge requests endpoint which 
        could result in disclosure of label names. The issue is now 
        mitigated in the latest release and is assigned CVE-2019-5466.
        
        Thanks to @ashish_r_padelkar for responsibly reporting this 
        vulnerability to us.
        
        Versions Affected
        
        Affects GitLab CE/EE 11.5 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Persistent XSS Wiki Pages
        
        An input validation and output encoding issue was discovered in the
        wiki pages feature which could result in a persistent XSS. The issue
        is now mitigated in the latest release and is assigned 
        CVE-2019-5467.
        
        Thanks to @ryhmnlfj for responsibly reporting this vulnerability to
        us.
        
        Versions Affected
        
        Affects GitLab CE/EE 11.10 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        User Revokation Bypass with Mattermost Integration
        
        An authorization issue was discovered when Mattermost slash commands
        are used with a blocked account. The issue is now mitigated in the 
        latest release and is assigned CVE-2019-5468.
        
        Thanks to @logan5 for responsibly reporting this vulnerability to 
        us.
        
        Versions Affected
        
        Affects GitLab CE/EE 8.14 command service and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible. Arbitrary File Upload via Import Project Archive
        
        A file upload issue was discovered when importing a project archive.
        The issue is now mitigated in the latest release and is assigned 
        CVE-2019-5469.
        
        Thanks to @ajxchapman for responsibly reporting this vulnerability 
        to us.
        
        Versions Affected
        
        Affects GitLab CE/EE 10.5 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Information Disclosure Vulnerability Feedback
        
        An authorization issue was discovered in the security dashboard 
        which could result in disclosure of vulnerability feedback 
        information. The issue is now mitigated in the latest release and is
        assigned CVE-2019-5470.
        
        Thanks to @ashish_r_padelkar for responsibly reporting this 
        vulnerability to us.
        
        Versions Affected
        
        Affects GitLab CE/EE 10.8 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Persistent XSS via Email
        
        An input validation and output encoding issue was discovered in the
        email notification feature which could result in a persistent XSS. 
        The issue is now mitigated in the latest release and is assigned 
        CVE-2019-5471.
        
        Thanks to @mario-areias for responsibly reporting this vulnerability
        to us.
        
        Versions Affected
        
        Affects GitLab EE 8.9 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Denial Of Service Epic Comments
        
        An authorization issue was discovered that forbid to delete epic 
        comments. The issue is now mitigated in the latest release and is 
        assigned CVE-2019-5472.
        
        Thanks to @ashish_r_padelkar for responsibly reporting this 
        vulnerability to us.
        
        Versions Affected
        
        Affects all previous GitLab EE 10.7 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Email Verification Bypass
        
        An authentication issue was discovered that allowed to bypass email
        verification. The issue is now mitigated in the latest release and 
        is assigned CVE-2019-5473.
        
        Thanks to @ngalog for responsibly reporting this vulnerability to 
        us.
        
        Versions Affected
        
        Affects GitLab EE 12.0 and later.
        
        Remediation
        
        We strongly recommend that all installations running an affected 
        version above are upgraded to the latest version as soon as 
        possible.
        
        Override Merge Request Approval Rules
        
        An authorization issue was discovered in the merge request approval
        rules. The issue is now mitigated in the latest release and is 
        assigned CVE-2019-5474.
        
        Thanks to @ashish_r_padelkar for responsibly reporting this 
        vulnerability to us.
        
        Versions Affected
        
        Affects GitLab EE 11.8 and later." [1]


MITIGATION

        The vendor recommends upgrading to the latest release as soon as possible.


REFERENCES

        [1] GitLab Security Release: 12.1.2, 12.0.4, and 11.11.7
            https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXUPA3GaOgq3Tt24GAQjWwxAAs4AvfRUSv2qwXXbrb5wDi/y3Jp2z3dgq
dgdcCbryrvtxiFStAfis6SFjk30R2bOTi+Omco3e8AN9my7C6Nd29CkCvusNGEUF
NvP70P/uQMhG2VoM+jLRyaF2xXYgwndXFaWSz+7s1/b6RAOnQuQv/xMABm76R+Ss
HNUiDgox30vldfw+tS62h0B60ZX0OoxVzsDqUGqqniZ6lIFPTax5uA1Z8rZW1/3b
UV5AHI+0qgb+S13vpnY5sXeSZcu/IFi+cv/Rjq/Xctc0M1TGMph+6ZQLjEGTfgPX
aC7bANFiEUFjlWnIz9v2q3GpDA7ppY1C6flM0VyIyUfiI8jYNSqDWGqB5rk+v0gr
ucrVu54a/yLmR4/dcUt+qMVWiWXtHMxo+WL9XssG9PP1V3+Zc2TMGIepdqRad6aL
8cw3z+4rAknjF8Yp9WQtuLCPMe4XKgAhoZdoIRCBuOE/TE5lozpdFSUoXpGLlvDJ
4fwafkD4oh6ul8A3ZlKjZYlfqTSFisrsrnoGtQP3wVtM8CoE91VVACUqzzGjLAhW
o72PBxsJsl3DY7D/YmK8Tyqrs5qa5goyFRN1gHhFi8VIY0PQoqQHyiR5NpAFiHzY
s/PPIb5UZxg6ZRHCZRCyCR1EF5Rex9DvXzZhVuRt/EksZSVwVcG/zd6FAvkQXOSW
BAzlsM3NCaQ=
=OQwo
-----END PGP SIGNATURE-----