-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1116
           GitLab Security Release: 13.10.1, 13.9.5, and 13.8.7
                               1 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GitLab Community Edition
                   GitLab Enterprise Edition
Publisher:         GitLab
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
                   Virtualisation
Impact/Access:     Create Arbitrary Files     -- Remote/Unauthenticated
                   Delete Arbitrary Files     -- Existing Account      
                   Cross-site Request Forgery -- Existing Account      
                   Cross-site Scripting       -- Existing Account      
                   Read-only Data Access      -- Remote/Unauthenticated
                   Denial of Service          -- Existing Account      
                   Access Confidential Data   -- Remote/Unauthenticated
                   Reduced Security           -- Unknown/Unspecified   
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://about.gitlab.com/releases/2021/03/31/security-release-gitlab-13-10-1-released/

- --------------------------BEGIN INCLUDED TEXT--------------------

GitLab Security Release: 13.10.1, 13.9.5, and 13.8.7

Learn more about GitLab Security Release: 13.10.1, 13.9.5, and 13.8.7 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 13.10.1, 13.9.5, and 13.8.7 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.

Table of Fixes

                           Title                                  Severity

Arbitrary File Read During Project Import                    	  critical
Kroki Arbitrary File Read/Write                              	  high
Stored Cross-Site-Scripting in merge requests                	  medium
Access data of an internal project through a public               medium
project fork as an anonymous user
Incident metric images can be deleted by any user            	  medium
Infinite Loop When a User Access a Merge Request                  low
Stored XSS in scoped labels                                  	  low
Admin CSRF in System Hooks Execution Through API             	  low
Update OpenSSL dependency 					  Dpendency update- high
Update PostgreSQL dependency                                 	  Dependency update- medium
                                                             	

Arbitrary File Read During Project Import

An issue has been discovered in GitLab CE/EE affecting all versions starting
from 13.9. A specially crafted import file could read files on the server. This
is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N,
9.6). We have requested a CVE ID and will update this blog post when it is
assigned.

Thanks saltyyolk for reporting this vulnerability through our HackerOne bug
bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Kroki Arbitrary File Read/Write

An issue has been discovered in GitLab CE/EE affecting all versions starting
with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary
files on the server. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:C/C:H/I:L/A:N, 7.5). We have requested a CVE ID and will update this
blog post when it is assigned.

Thanks @ledz1996 for reporting this vulnerability through our HackerOne bug
bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Stored Cross-Site-Scripting in merge requests

An issue has been discovered in GitLab CE/EE affecting all versions starting
from 13.4. It was possible to exploit a stored cross-site-scripting in merge
request via a specifically crafted branch name. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N, 6.3). We have requested a CVE ID
and will update this blog post when it is assigned.

Thanks @yvvdwf for reporting this vulnerability through our HackerOne bug
bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Access data of an internal project through a public project fork as an
anonymous user

An issue has been discovered in GitLab CE/EE affecting all versions starting
with 12.6. Under a special condition it was possible to access data of an
internal repository through a public project fork as an anonymous user. This is
a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, 5.9). We
have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Incident metric images can be deleted by any user

An issue has been discovered in GitLab CE/EE affecting all versions from 13.8
and above allowing an authenticated user to delete incident metric images of
public projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/
S:U/C:N/I:L/A:N, 4.3). We have requested a CVE ID and will update this blog
post when it is assigned.

Thanks @ashish_r_padelkar for reporting this vulnerability through our
HackerOne bug bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Infinite Loop When a User Access a Merge Request

An issue has been discovered in GitLab CE/EE affecting all versions starting
from 10.6 where an infinite loop exist when an authenticated user with specific
rights access a MR having source and target branch pointing to each other. This
is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L, 3.5). We
have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Stored XSS in scoped labels

An issue has been discovered in GitLab affecting all versions starting with
12.9. GitLab was vulnerable to a stored XSS if scoped labels were used. This is
a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). We
have requested a CVE ID and will update this blog post when it is assigned.

Thanks mike12 for reporting this vulnerability through our HackerOne bug bounty
program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Admin CSRF in System Hooks Execution Through API

An issue has been discovered in GitLab CE/EE affecting all previous versions.
If the victim is an admin, it was possible to issue a CSRF in System hooks
through the API. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U
/C:N/I:L/A:N, 2.4). We have requested a CVE ID and will update this blog post
when it is assigned.

Thanks @mishre for reporting this vulnerability through our HackerOne bug
bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Update OpenSSL dependency

The dependency on OpenSSL has been upgraded to 1.1.1j in order to mitigate
security concerns.

Versions affected

Affects versions 13.8 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Update PostgreSQL dependency

The dependency on PostgreSQL 11 and 12 has been upgraded to 11.11 and 12.6 in
order to mitigate security concerns.

Versions affected

Affects versions 9.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYGUT5+NLKJtyKPYoAQj4Lg//ensOcY5fgKPG8Je3MR+O8Pj4cwu+oHzU
RwdMlTcO5PULAqje1zEXbwFexDC39NoSljbAMp7SluVnulI3vdPd5jTrGmlHDC82
S1fIj9BfStsXv9e6YM4iutcSYFvr1MXiXRctjZ7XKXjeqmeBfi+GIFPFQbfr+ND3
UqTNQ8etxAHjlwcXas6UQYS9+Mxb8hhpkKmYeD3NwZbIqztu5bIeoOmJ3/LIHOML
aVh35+d6HzUZBMFKem7zfBtnWVf94mm4zBzjSFKaUKhN6kyImIMO3n2YH5It/LvO
yD5hDEbsUXtrrMZWbRuzihXWczVJpM1hqx1/PlLOMCWnMFQmpIG6/ywaHcp4uTno
w8YuZSghEJ/HZVqnovB1ae4+iSvl/x2nRo2AjHNUOgdIRc5NDGDTGSVBE7GKU4U8
x1difXx3sy1dHkXWdzh+qBS4IP4QBY4sS5gRX/QD+L4aTPO8Uqw9Ay/SL1UZpKUB
rmoLjivLg7CpkBfsyHL0/wlz3zmpP/bubco1+pqeHibRoKgSRtvoEESfkG+g42Q0
3ydFSUtdnRELPyaPm0D3EEGSPmQmHmTTY58OEXwA31rJgMCdQqbM//Vy7RD073z/
P/DfW9k/ygqk+Va4YgwMY+7kQNobqBOL5JhINkn78kQmM244PojBrMBanubguREl
RoVyEMiHPvs=
=LGpI
-----END PGP SIGNATURE-----