Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3028 GitLab Security Release: 13.3.4, 13.2.8, and 13.1.10 3 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition GitLab Enterprise Edition Publisher: GitLab Operating System: UNIX variants (UNIX, Linux, OSX) Windows Virtualisation Impact/Access: Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Unknown/Unspecified Unauthorised Access -- Remote/Unauthenticated Access Confidential Data -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-13318 CVE-2020-13317 CVE-2020-13316 CVE-2020-13315 CVE-2020-13314 CVE-2020-13313 CVE-2020-13311 CVE-2020-13310 CVE-2020-13309 CVE-2020-13308 CVE-2020-13307 CVE-2020-13306 CVE-2020-13305 CVE-2020-13304 CVE-2020-13303 CVE-2020-13302 CVE-2020-13301 CVE-2020-13300 CVE-2020-13299 CVE-2020-13298 CVE-2020-13297 CVE-2020-13289 CVE-2020-13287 CVE-2020-13284 CVE-2020-11022 CVE-2020-7663 Reference: ESB-2020.2966 ESB-2020.2883 ESB-2020.2867 ESB-2020.2694 Original Bulletin: https://about.gitlab.com/releases/2020/09/02/security-release-gitlab-13-3-3-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- Sep 2, 2020 - Vitor Meireles De Sousa GitLab Security Release: 13.3.4, 13.2.8, and 13.1.10 Learn more about GitLab Security Release: 13.3.4, 13.2.8 and 13.1.10 for GitLab Community Edition (CE) and Enterprise Edition (EE) Attention Versions 13.3.3, 13.2.7, and 13.1.9 were improperly packaged and did not contain the security fixes outlined below. We've released 13.3.4, 13.2.8, and 13.1.10 to correct the packaging error. See #1176 for details and corrective actions on the packaging error. - --- Today we are releasing versions 13.3.4, 13.2.8 and 13.1.10 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Vendor Cross-Account Assume-Role Attack GitLab EKS integration was vulnerable to a cross-account assume role attack which could allow privileged access and possibly AWS account takeover. This issue is now mitigated in the latest release and is assigned CVE-2020-13318. Versions Affected Affects GitLab 8.9 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Stored XSS on the Vulnerability Page GitLab was vulnerable to a stored XSS on the standalone vulnerability page. This issue is now mitigated in the latest release and is assigned CVE-2020-13301. Thanks xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 13.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Outdated Job Token Can Be Reused to Access Unauthorized Resources GitLab was not validating that job tokens were associated with running jobs. This issue is now mitigated in the latest release and is assigned CVE-2020-13284. Versions Affected Affects GitLab 11.3 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. File Disclosure Via Workhorse File Upload Bypass Conan package upload functionality was not properly validating the supplied parameters, which resulted the limited files disclosure. This issue is now mitigated in the latest release and is assigned CVE-2020-13298. Thanks ledz1996 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 13.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Unauthorized Maintainer Can Edit Group Badge An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. This issue is now mitigated in the latest release and is assigned CVE-2020-13313. Thanks ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Denial of Service Within Wiki Functionality An internal investigation revealed that GitLab's Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface. This issue is now mitigated in the latest release and is assigned CVE-2020-13311. Versions Affected Affects all GitLab versions prior 13.0. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Sign-in Vulnerable to Brute-force Attacks GitLab was vulnerable to brute-force attacks due to an improper handling of sign-in parameters. This issue is now mitigated in the latest release and is assigned CVE-2020-13289. Versions Affected Affects GitLab 8.7 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Invalidated Session Allows Account Access With an Old Password Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. This issue is now mitigated in the latest release and is assigned CVE-2020-13302. Thanks rogov for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 7.11 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. GitLab Omniauth Endpoint Renders User Controlled Messages GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages. This issue is now mitigated in the latest release and is assigned CVE-2020-13314. Thanks h33t for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 7.1 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Blind SSRF Through Repository Mirroring GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature. This issue is now mitigated in the latest release and is assigned CVE-2020-13309. Thanks sky003 for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Information Disclosure Through Incorrect Group Permission Verifications GitLab was vulnerable to information disclosure by not performing proper verification on permissions for confidential epics. This issue is now mitigated in the latest release and is assigned CVE-2020-13287. Thanks ashish_r_padelkar for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 13.0 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. No Rate Limit on GitLab Webhook Feature GitLab Webhook feature could be abused to perform denial of service attacks due to the lack of rate limitation. This issue is now mitigated in the latest release and is assigned CVE-2020-13306. Thanks noddyn12 for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. GitLab Session Revocation Feature Does Not Invalidate All Sessions The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. This issue is now mitigated in the latest release and is assigned CVE-2020-13299. Thanks vaib25vicky for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. OAuth Authorization Scope for an External Application Can Be Changed Without User Consent GitLab was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow. This issue is now mitigated in the latest release and is assigned CVE-2020-13300. Thanks fushbey for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 13.3 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Unauthorized Maintainer Can Delete Repository A project Maintainer was able to delete a repository through GraphQL due to insufficient verification of permissions. This issue is now mitigated in the latest release and is assigned CVE-2020-13317. Thanks ledz1996 for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 12.6 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Improper Verification of Deploy-Key Leads to Access Restricted Repository Due to improper verification of permissions, an unauthorized user can access a private repository within a public project. This issue is now mitigated in the latest release and is assigned CVE-2020-13303. Thanks ledz1996 for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Disabled Repository Still Accessible With a Deploy-Token GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line. This issue is now mitigated in the latest release and is assigned CVE-2020-13316. Thanks vaib25vicky for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Duplicated Secret Code Generated by 2 Factor Authentication Mechanism Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions. This issue is now mitigated in the latest release and is assigned CVE-2020-13304. Thanks rgupt for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Lack of Validation Within Project Invitation Flow GitLab was not invalidating project invitation link upon removing a user from a project. This issue is now mitigated in the latest release and is assigned CVE-2020-13305. Thanks rgupt for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access. This issue is now mitigated in the latest release and is assigned CVE-2020-13307. Thanks xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab A user without 2 factor authentication enabled could be prohibited from accessing GitLab by being invited into a project that had 2 factor authentication inheritance. This issue is now mitigated in the latest release and is assigned CVE-2020-13308. Thanks marshall0705 for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Lack of Upper Bound Check Leading to Possible Denial of Service The profile activity page was not restricting the amount of results one could request, potentially resulting in a denial of service. This issue is now mitigated in the latest release and is assigned CVE-2020-13315. Thanks brandonnnn for responsibly reporting this vulnerability to us. Versions Affected Affects GitLab 11.4 and later. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. 2 Factor Authentication for Groups Was Not Enforced Within API Endpoint When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint. This issue is now mitigated in the latest release and is assigned CVE-2020-13297. Thanks xanbanx for responsibly reporting this vulnerability to us. Versions Affected Affects all previous GitLab versions. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. GitLab Runner Denial of Service via CI Jobs It was possible to make the gitlab-runner process crash by sending malformed queries, resulting in a denial of service. This issue is now mitigated in the latest release and is assigned CVE-2020-13310. Versions Affected Affects all previous versions of GitLab Runner. Remediation We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible. Update websocket-extensions Gem The websocket-extensions gem has been upgraded to 0.1.5. This upgrade includes a security fix for CVE-2020-7663. Update jQuery Dependency The jQuery dependency has been upgraded to 3.5 . This upgrade includes a security fix for CVE-2020-11022 Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive security release blog notifications via RSS, subscribe to our RSS feed. GitLab Security Release: 13.3.4, 13.2.8, and 13.1.10 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX1CATeNLKJtyKPYoAQjM1A//VQsdu3K/k8KvtdzDWMTqfebbCyjEZjF+ oQ9X4ZiTBsZSROTl2sv2ez6h0n1eQvUaZjwbI6r0hUaNcoxstsVsm8agjCsoQIGZ WbkSrpmIpBajfNH8GcHDWUiya2JEXRfjQzsfC9StnCPlS87p0oJo846xaOKECAl4 j9lxFoXf7XbLTjO8cuB6bBu57DKUOJC700z5yv0lSv4NvdCTf8qmCFWBcvjm5O2r ylzWUu/J4MEqbqAJpxSg1Lz9WZKtmMO82Kz2hkLynbzb0JewhpWlYFT3p3uB9+em dfyf2ab+3Vd8ySatGkyLEB+UTeSUJyXjK8OIOxuXR5Sz1qetLN1BYrhtgEm5/kUq kpl0r2l9aO3bUNCKg22fi4IMnMReE0V2N8DKmm8/OGpQ41MFMemcgSdeR2eTrI0G 1/3hkls5VXiQEal0V6WZEOIchq/xGBM51uRjvFX5LXudqEX3GOatUHALysqcnq9E MiVOKK0nZ4Dyp9lS+x8dZZUv16npFpGd++vGO5uXs8EFKd51wy0UiGdQ2clrMuZb BaSFottWpvgEFowT52Eubi75Q/6pnIuwhxVLRYYskoH3GFAMlxxxi5Y1LdGlB5YN EhYJXi40XADpQIXOhw2lRiLMcVThqOcoyGYVyZ5TzvJDSr3H2jumB/aGaDX5R+kD z8qUoHm1JhA= =+4Ev -----END PGP SIGNATURE-----