Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3028
GitLab Security Release: 13.3.4, 13.2.8, and 13.1.10
3 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition
GitLab Enterprise Edition
Publisher: GitLab
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Virtualisation
Impact/Access: Increased Privileges -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Unknown/Unspecified
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Unknown/Unspecified
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13318 CVE-2020-13317 CVE-2020-13316
CVE-2020-13315 CVE-2020-13314 CVE-2020-13313
CVE-2020-13311 CVE-2020-13310 CVE-2020-13309
CVE-2020-13308 CVE-2020-13307 CVE-2020-13306
CVE-2020-13305 CVE-2020-13304 CVE-2020-13303
CVE-2020-13302 CVE-2020-13301 CVE-2020-13300
CVE-2020-13299 CVE-2020-13298 CVE-2020-13297
CVE-2020-13289 CVE-2020-13287 CVE-2020-13284
CVE-2020-11022 CVE-2020-7663
Reference: ESB-2020.2966
ESB-2020.2883
ESB-2020.2867
ESB-2020.2694
Original Bulletin:
https://about.gitlab.com/releases/2020/09/02/security-release-gitlab-13-3-3-released/
- --------------------------BEGIN INCLUDED TEXT--------------------
Sep 2, 2020 - Vitor Meireles De Sousa
GitLab Security Release: 13.3.4, 13.2.8, and 13.1.10
Learn more about GitLab Security Release: 13.3.4, 13.2.8 and 13.1.10 for GitLab
Community Edition (CE) and Enterprise Edition (EE)
Attention
Versions 13.3.3, 13.2.7, and 13.1.9 were improperly packaged and did not
contain the security fixes outlined below. We've released 13.3.4, 13.2.8, and
13.1.10 to correct the packaging error. See #1176 for details and corrective
actions on the packaging error.
- ---
Today we are releasing versions 13.3.4, 13.2.8 and 13.1.10 for GitLab Community
Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. You
can see all of our regular and security release blog posts here. In addition,
the issues detailing each vulnerability are made public on our issue tracker 30
days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.
Vendor Cross-Account Assume-Role Attack
GitLab EKS integration was vulnerable to a cross-account assume role attack
which could allow privileged access and possibly AWS account takeover. This
issue is now mitigated in the latest release and is assigned CVE-2020-13318.
Versions Affected
Affects GitLab 8.9 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Stored XSS on the Vulnerability Page
GitLab was vulnerable to a stored XSS on the standalone vulnerability page.
This issue is now mitigated in the latest release and is assigned
CVE-2020-13301.
Thanks xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 13.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Outdated Job Token Can Be Reused to Access Unauthorized Resources
GitLab was not validating that job tokens were associated with running jobs.
This issue is now mitigated in the latest release and is assigned
CVE-2020-13284.
Versions Affected
Affects GitLab 11.3 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
File Disclosure Via Workhorse File Upload Bypass
Conan package upload functionality was not properly validating the supplied
parameters, which resulted the limited files disclosure. This issue is now
mitigated in the latest release and is assigned CVE-2020-13298.
Thanks ledz1996 for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 13.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Unauthorized Maintainer Can Edit Group Badge
An unauthorized project maintainer could edit the subgroup badges due to the
lack of authorization control. This issue is now mitigated in the latest
release and is assigned CVE-2020-13313.
Thanks ashish_r_padelkar for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Denial of Service Within Wiki Functionality
An internal investigation revealed that GitLab's Wiki was vulnerable to a
parser attack that prohibits anyone from accessing the Wiki functionality
through the user interface. This issue is now mitigated in the latest release
and is assigned CVE-2020-13311.
Versions Affected
Affects all GitLab versions prior 13.0.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Sign-in Vulnerable to Brute-force Attacks
GitLab was vulnerable to brute-force attacks due to an improper handling of
sign-in parameters. This issue is now mitigated in the latest release and is
assigned CVE-2020-13289.
Versions Affected
Affects GitLab 8.7 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Invalidated Session Allows Account Access With an Old Password
Under certain conditions GitLab was not properly revoking user sessions and
allowed a malicious user to access a user account with an old password. This
issue is now mitigated in the latest release and is assigned CVE-2020-13302.
Thanks rogov for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 7.11 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
GitLab Omniauth Endpoint Renders User Controlled Messages
GitLab Omniauth endpoint allowed a malicious user to submit content to be
displayed back to the user within error messages. This issue is now mitigated
in the latest release and is assigned CVE-2020-13314.
Thanks h33t for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 7.1 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Blind SSRF Through Repository Mirroring
GitLab was vulnerable to a blind SSRF attack through the repository mirroring
feature. This issue is now mitigated in the latest release and is assigned
CVE-2020-13309.
Thanks sky003 for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Information Disclosure Through Incorrect Group Permission Verifications
GitLab was vulnerable to information disclosure by not performing proper
verification on permissions for confidential epics. This issue is now mitigated
in the latest release and is assigned CVE-2020-13287.
Thanks ashish_r_padelkar for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 13.0 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
No Rate Limit on GitLab Webhook Feature
GitLab Webhook feature could be abused to perform denial of service attacks due
to the lack of rate limitation. This issue is now mitigated in the latest
release and is assigned CVE-2020-13306.
Thanks noddyn12 for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
GitLab Session Revocation Feature Does Not Invalidate All Sessions
The revocation feature was not revoking all session tokens and one could re-use
it to obtain a valid session. This issue is now mitigated in the latest release
and is assigned CVE-2020-13299.
Thanks vaib25vicky for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
OAuth Authorization Scope for an External Application Can Be Changed Without
User Consent
GitLab was vulnerable to an OAuth authorization scope change without user
consent in the middle of the authorization flow. This issue is now mitigated in
the latest release and is assigned CVE-2020-13300.
Thanks fushbey for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 13.3 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Unauthorized Maintainer Can Delete Repository
A project Maintainer was able to delete a repository through GraphQL due to
insufficient verification of permissions. This issue is now mitigated in the
latest release and is assigned CVE-2020-13317.
Thanks ledz1996 for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 12.6 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Improper Verification of Deploy-Key Leads to Access Restricted Repository
Due to improper verification of permissions, an unauthorized user can access a
private repository within a public project. This issue is now mitigated in the
latest release and is assigned CVE-2020-13303.
Thanks ledz1996 for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Disabled Repository Still Accessible With a Deploy-Token
GitLab was not validating a Deploy-Token and allowed a disabled repository be
accessible via a git command line. This issue is now mitigated in the latest
release and is assigned CVE-2020-13316.
Thanks vaib25vicky for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Duplicated Secret Code Generated by 2 Factor Authentication Mechanism
Same 2 factor Authentication secret code was generated which resulted an
attacker to maintain access under certain conditions. This issue is now
mitigated in the latest release and is assigned CVE-2020-13304.
Thanks rgupt for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Lack of Validation Within Project Invitation Flow
GitLab was not invalidating project invitation link upon removing a user from a
project. This issue is now mitigated in the latest release and is assigned
CVE-2020-13305.
Thanks rgupt for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication
GitLab was not revoking current user sessions when 2 factor authentication was
activated allowing a malicious user to maintain their access. This issue is now
mitigated in the latest release and is assigned CVE-2020-13307.
Thanks xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab
A user without 2 factor authentication enabled could be prohibited from
accessing GitLab by being invited into a project that had 2 factor
authentication inheritance. This issue is now mitigated in the latest release
and is assigned CVE-2020-13308.
Thanks marshall0705 for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Lack of Upper Bound Check Leading to Possible Denial of Service
The profile activity page was not restricting the amount of results one could
request, potentially resulting in a denial of service. This issue is now
mitigated in the latest release and is assigned CVE-2020-13315.
Thanks brandonnnn for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 11.4 and later.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
2 Factor Authentication for Groups Was Not Enforced Within API Endpoint
When 2 factor authentication was enabled for groups, a malicious user could
bypass that restriction by sending a specific query to the API endpoint. This
issue is now mitigated in the latest release and is assigned CVE-2020-13297.
Thanks xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects all previous GitLab versions.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
GitLab Runner Denial of Service via CI Jobs
It was possible to make the gitlab-runner process crash by sending malformed
queries, resulting in a denial of service. This issue is now mitigated in the
latest release and is assigned CVE-2020-13310.
Versions Affected
Affects all previous versions of GitLab Runner.
Remediation
We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.
Update websocket-extensions Gem
The websocket-extensions gem has been upgraded to 0.1.5. This upgrade includes
a security fix for CVE-2020-7663.
Update jQuery Dependency
The jQuery dependency has been upgraded to 3.5 . This upgrade includes a
security fix for CVE-2020-11022
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.
Receive Security Release Notifications
To receive security release blog notifications delivered to your inbox, visit
our contact us page. To receive security release blog notifications via RSS,
subscribe to our RSS feed.
GitLab Security Release: 13.3.4, 13.2.8, and 13.1.10
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX1CATeNLKJtyKPYoAQjM1A//VQsdu3K/k8KvtdzDWMTqfebbCyjEZjF+
oQ9X4ZiTBsZSROTl2sv2ez6h0n1eQvUaZjwbI6r0hUaNcoxstsVsm8agjCsoQIGZ
WbkSrpmIpBajfNH8GcHDWUiya2JEXRfjQzsfC9StnCPlS87p0oJo846xaOKECAl4
j9lxFoXf7XbLTjO8cuB6bBu57DKUOJC700z5yv0lSv4NvdCTf8qmCFWBcvjm5O2r
ylzWUu/J4MEqbqAJpxSg1Lz9WZKtmMO82Kz2hkLynbzb0JewhpWlYFT3p3uB9+em
dfyf2ab+3Vd8ySatGkyLEB+UTeSUJyXjK8OIOxuXR5Sz1qetLN1BYrhtgEm5/kUq
kpl0r2l9aO3bUNCKg22fi4IMnMReE0V2N8DKmm8/OGpQ41MFMemcgSdeR2eTrI0G
1/3hkls5VXiQEal0V6WZEOIchq/xGBM51uRjvFX5LXudqEX3GOatUHALysqcnq9E
MiVOKK0nZ4Dyp9lS+x8dZZUv16npFpGd++vGO5uXs8EFKd51wy0UiGdQ2clrMuZb
BaSFottWpvgEFowT52Eubi75Q/6pnIuwhxVLRYYskoH3GFAMlxxxi5Y1LdGlB5YN
EhYJXi40XADpQIXOhw2lRiLMcVThqOcoyGYVyZ5TzvJDSr3H2jumB/aGaDX5R+kD
z8qUoHm1JhA=
=+4Ev
-----END PGP SIGNATURE-----