Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0046 GitLab security updates v12.6.2, 12.5.6, and 12.4.7 6 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Publisher: GitLab Operating System: Windows UNIX variants (UNIX, Linux, OSX) Virtualisation Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-5197 CVE-2019-20148 CVE-2019-20147 CVE-2019-20146 CVE-2019-20145 CVE-2019-20144 CVE-2019-20143 CVE-2019-20142 Original Bulletin: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jan 2, 2020 - Vitor Meireles De Sousa GitLab Security Release: 12.6.2, 12.5.6, and 12.4.7 Today we are releasing versions 12.6.2, 12.5.6, and 12.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes that were inadvertently not included in our most recent security release. We strongly recommend that all GitLab installations be upgraded to one of these versions immediately. The vulnerability details will be made public on our issue tracker in approximately 30 days. Please read on for more information regarding this release. # Group Maintainers Can Update/Delete Group Runners Using API Insufficient access verification lead to unauthorized modification of group runners through the API. This issue is now mitigated in the latest release and is assigned CVE-2019-20144. Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 10.8 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. # GraphQL Queries Can Hang the Application Certain GraphQL queries can hang the application due to some server's missing parameters in handling time consuming queries. This issue is now mitigated in the latest release and is assigned CVE-2019-20146. Thanks the GitLab team for finding and reporting this issue. Versions Affected Affects GitLab EE/CE 11.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. # Unauthorized Users Have Access to Milestones of Releases Under certain circumstances, an unauthenticated user can access a release's milestone and issues. This issue is now mitigated in the latest release and is assigned CVE-2019-20143. Thanks @xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 12.6. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. # Private Group Name Revealed Through Protected Tags API When a group is removed from a project membership, it was possible for group members to see project namespace changes through the Protected Tags API. This issue is now mitigated in the latest release and is assigned CVE-2019-20147. Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 9.1 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. # Users Can Publish Reviews on Locked Merge Requests When a merge request was locked, a user was still able to submit a drafted review and publish. This issue is now mitigated in the latest release and is assigned CVE-2019-20145. Thanks @rafiem for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 11.4 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. DoS in the Issue and Commit Comments Pages While adding a comment in the Issue and Commit pages, a malicious user can cause HTTP 500 code when sending a special message. This issue is now mitigated in the latest release and is assigned CVE-2019-20142. Thanks @dfens for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab CE/EE 12.3 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. # Project Name Disclosed Through Unsubscribe Link When an unauthenticated user visits an unsubscribe link, a private project name can be disclosed under certain conditions. This issue is now mitigated in the latest release and is assigned CVE-2019-20148. Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 8.13 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. # Private Project Name Disclosed Through Notification Settings Under specific conditions an user can view the name of a private project through the notifications settings. This issue is now mitigated in the latest release and is assigned CVE-2020-5197. Thanks @iframe for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab EE/CE 5.1 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Updating To update GitLab, see the Update page. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXhK5cWaOgq3Tt24GAQhO6A/9Gj2G6V3pc7wOdfTmd39pLr3UlAjfyZrs gI0QuWmH9K9bsNbu8UrI7BOmA9f+k4N2ir7Jrf/S1bT4vB/CyuSokSoNbQqirZbk jMtUvnhKlYu3goLygWXgjrABu3IbTwtpu4mQS0BaokSG5WzI4Cm1zYLkIRUu2JHd j4W6iOgKNV5V6e1HDOSuz9BEReWKToBXFyJo0UGtc39BB8HwL9xeOSnGxa87dUa7 dR5T8rq01ClGDLfHjnrV7zwTdKD0Mfv5faAWGreoOvplKsQKgpChQGY/DyCgo8mn uTuevj++pkZvDOJepIDlPABnNF/tSKxCbUfh1U/4UaRcj3ObPSTsxORKgq13BXPK uedEJ4hbHgCGvbfUuOyQYGAiTPEQiRJcM5hwCsZOM2XLbyQnt2NbbNpX4FsxT+yX LwmwLmxGPgztQZitdOm8NgapuwAaa0xtZUch1pXxR6jFNt2tkdUXft70lkFtjt3+ tJWyB8OURq06URCTHXCybjTc8QYvhhEAMnrb9w4bTvQQctXapLEqYSRB1O8cf5/S TEY3okx1OgCgK57US+7RUkhtqsab5r0v8bY+xU01z/3Nf0vEgKV9OuCB3BupJWGd 0cIsaKMB1kZ08pOlLSw31XfUm6S7FU4cfB5hsR3dY2k4vYofPsBk/2+WdnLrQNJy l+DgF/5NZb4= =FbCV -----END PGP SIGNATURE-----