-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3262
            GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7
                              1 October 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GitLab Community Edition
                   GitLab Enterprise Edition
Publisher:         GitLab
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
                   Virtualisation
Impact/Access:     Increased Privileges           -- Existing Account            
                   Denial of Service              -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Existing Account            
                   Access Confidential Data       -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Existing Account            
                   Reduced Security               -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-39887 CVE-2021-39886 CVE-2021-39885
                   CVE-2021-39884 CVE-2021-39883 CVE-2021-39882
                   CVE-2021-39881 CVE-2021-39879 CVE-2021-39878
                   CVE-2021-39877 CVE-2021-39875 CVE-2021-39874
                   CVE-2021-39873 CVE-2021-39872 CVE-2021-39871
                   CVE-2021-39870 CVE-2021-39869 CVE-2021-39868
                   CVE-2021-39867 CVE-2021-39866 CVE-2021-22259

Original Bulletin: 
   https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/

- --------------------------BEGIN INCLUDED TEXT--------------------

Sep 30, 2021 - Michael Henriksen  

GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7

Learn more about GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 14.3.1, 14.2.5, and 14.1.7 for GitLab Community
Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.

Table of Fixes

                                Title                                  Severity
Stored XSS in merge request creation page                              high
Denial-of-service attack in Markdown parser                            high
Stored Cross-Site Scripting vulnerability in the GitLab Flavored       high
Markdown
DNS Rebinding vulnerability in Gitea importer                          medium
Exposure of trigger tokens on project exports                          medium
Improper access control for users with expired password                medium
Access tokens are not cleared after impersonation                      medium
Reflected Cross-Site Scripting in Jira Integration                     medium
DNS Rebinding vulnerability in Fogbugz importer                        medium
Access tokens persist after project deletion                           medium
User enumeration vulnerability                                         medium
Potential DOS via API requests                                         medium
Pending invitations of public groups and public projects are visible   medium
to any user
Bypass Disabled Repo by URL Project Creation                           medium
Low privileged users can see names of the private groups shared in     medium
projects
API discloses sensitive info to low privileged users                   medium
Epic listing do not honour group memberships                           medium
Insecure Direct Object Reference vulnerability may lead to protected   medium
branch names getting disclosed
Low privileged users can import users from projects that they they are medium
not a maintainer on
Potential DOS via dependencies API                                     medium
Create a project with unlimited repository size through malicious      medium
Project Import
Bypass disabled Bitbucket Server import source project creation        medium
Requirement to enforce 2FA is not honored when using git commands      medium
Content spoofing vulnerability                                         medium
Improper session management in impersonation feature                   low
Create OAuth application with arbitrary scopes through content         low
spoofing
Lack of account lockout on change password functionality               low
Epic reference was not updated while moved between groups              low
Missing authentication allows disabling of two-factor authentication   low
Information disclosure in SendEntry                                    low

Stored XSS in merge request creation page

A Stored XSS in merge request creation page in Gitlab EE version 13.5 and above
allows an attacker to execute arbitrary JavaScript code on the victim's behalf
via malicious approval rule names. This is a high severity issue (CVSS:3.0/AV:N
/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest
release and is assigned CVE-2021-39885.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.

Denial-of-service attack in Markdown parser

A vulnerability was discovered in GitLab starting with version 12.2 that allows
an attacker to cause uncontrolled resource consumption with a specially crafted
file. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/
A:H, 7.7). It is now mitigated in the latest release and is assigned
CVE-2021-39877.

Thanks phill for reporting this vulnerability through our HackerOne bug bounty
program.

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in
GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary
JavaScript code on the victim's behalf. This is a high severity issue (CVSS:3.0
/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3). It is now mitigated in the latest
release and is assigned CVE-2021-39887.

Thanks saleemrashid for reporting this vulnerability through our HackerOne bug
bounty program.

DNS Rebinding vulnerability in Gitea importer

In all versions of GitLab CE/EE since version 8.15, a DNS rebinding
vulnerability in Gitea Importer may be exploited by an attacker to trigger
Server Side Request Forgery (SSRF) attacks. This is a medium severity issue
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, 6.5). It is now mitigated in the
latest release and is assigned CVE-2021-39867.

This issue was found internally by a member of the GitLab team.

Exposure of trigger tokens on project exports

In all versions of GitLab CE/EE since version 8.9, project exports may expose
trigger tokens configured on that project. This is a medium severity issue
(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the
latest release and is assigned CVE-2021-39869.

Thanks @mishre for reporting this vulnerability through our HackerOne bug
bounty program.

Improper access control for users with expired password

In all versions of GitLab CE/EE since version 14.1, an improper access control
vulnerability allows users with expired password to still access GitLab through
git and API through access tokens acquired before password expiration. This is
a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It
is now mitigated in the latest release and is assigned CVE-2021-39872.

Thanks @ngalog for reporting this vulnerability through our HackerOne bug
bounty program.

Access tokens are not cleared after impersonation

In all versions of GitLab CE/EE since version 8.0, access tokens created as
part of admin's impersonation of a user are not cleared at the end of
impersonation which may lead to unnecessary sensitive info disclosure. This is
a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, 5.9). We
have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability was found internally by a member of the GitLab team.

Reflected Cross-Site Scripting in Jira Integration

A stored Reflected Cross-Site Scripting vulnerability in the Jira integration
in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary
javascript code. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/
S:C/C:H/I:N/A:N, 5.8). It is now mitigated in the latest release and is
assigned CVE-2021-39878.

Thanks ooooooo_q for reporting this vulnerability through our HackerOne bug
bounty program.

DNS Rebinding vulnerability in Fogbugz importer

In all versions of GitLab CE/EE since version 8.0, a DNS rebinding
vulnerability exists in Fogbugz importer which may be used by attackers to
exploit Server Side Request Forgery attacks. This is a medium severity issue
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). We have requested a CVE ID
and will update this blog post when it is assigned.

This vulnerability was discovered internally by the GitLab team.

Access tokens persist after project deletion

A business logic error in the project deletion process in GitLab 13.6 and later
allows persistent access via project access tokens. This is a medium severity
issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). It is now mitigated
in the latest release and is assigned CVE-2021-39866.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.

User enumeration vulnerability

In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a
few endpoints to retrieve information about any GitLab user. This is a medium
severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now
mitigated in the latest release and is assigned CVE-2021-39882.

This issue was found internally by a member of the GitLab team.

Potential DOS via API requests

A potential DOS vulnerability was discovered in GitLab starting with version
9.1 that allowed parsing files without authorisation. This is a medium severity
issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, 5.3). We have requested a
CVE ID and will update this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Pending invitations of public groups and public projects are visible to any
user

In all versions of GitLab CE/EE since version 13.6, it is possible to see
pending invitations of any public group or public project by visiting an API
endpoint. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L
/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned
CVE-2021-39875.

Thanks @ashish_r_padelkar for reporting this vulnerability through our
HackerOne bug bounty program.

Bypass Disabled Repo by URL Project Creation

In all versions of GitLab CE/EE since version 11.11, an instance that has the
setting to disable Repo by URL import enabled is bypassed by an attacker making
a crafted API call. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/
UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is
assigned CVE-2021-39870.

Thanks @ngalog for reporting this vulnerability through our HackerOne bug
bounty program.

Low privileged users can see names of the private groups shared in projects

In all versions of GitLab EE since version 8.13, an endpoint discloses names of
private groups that have access to a project to low privileged users that are
part of that project. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/
UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is
assigned CVE-2021-39884.

Thanks @ashish_r_padelkar for reporting this vulnerability through our
HackerOne bug bounty program.

API discloses sensitive info to low privileged users

In all versions of GitLab EE since version 13.10, a specific API endpoint may
reveal details about a private group and other sensitive info inside issue and
merge request templates. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/
PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). We have requested a CVE ID and will update
this blog post when it is assigned.

Thanks @0xn3va for reporting this vulnerability through our HackerOne bug
bounty program.

Epic listing do not honour group memberships

Improper authorization checks in GitLab EE > 13.11 allows subgroup members to
see epics from all parent subgroups. This is a medium severity issue (CVSS:3.0/
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest
release and is assigned CVE-2021-39883.

This vulnerability has been discovered internally by the GitLab team.

Insecure Direct Object Reference vulnerability may lead to protected branch
names getting disclosed

In all versions of GitLab EE since version 14.1, due to an insecure direct
object reference vulnerability, an endpoint may reveal the protected branch
name to a malicious user who makes a crafted API call with the ID of the
protected branch. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N
/S:U/C:L/I:N/A:N, 4.3). We have requested a CVE ID and will update this blog
post when it is assigned.

Thanks @ashish_r_padelkar for reporting this vulnerability through our
HackerOne bug bounty program.

Low privileged users can import users from projects that they they are not a
maintainer on

In all versions of GitLab CE/EE since version 12.0, a lower privileged user can
import users from projects that they don't have a maintainer role on and
disclose email addresses of those users. This is a medium severity issue
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). We have requested a CVE ID
and will update this blog post when it is assigned.

Thanks @ashish_r_padelkar for reporting this vulnerability through our
HackerOne bug bounty program.

Potential DOS via dependencies API

A potential DOS vulnerability was discovered in GitLab EE starting with version
12.6 due to lack of pagination in dependencies API. This is a medium severity
issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated
in the latest release and is assigned CVE-2021-22259.

This vulnerability has been discovered internally by the GitLab team.

Create a project with unlimited repository size through malicious Project
Import

In all versions of GitLab CE/EE since version 8.12, an authenticated
low-privileged malicious user may create a project with unlimited repository
size by modifying values in a project export. This is a medium severity issue
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the
latest release and is assigned CVE-2021-39868.

Thanks @ngalog for reporting this vulnerability through our HackerOne bug
bounty program.

Bypass disabled Bitbucket Server import source project creation

In all versions of GitLab CE/EE since version 13.0, an instance that has the
setting to disable Bitbucket Server import enabled is bypassed by an attacker
making a crafted API call. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/
PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and
is assigned CVE-2021-39871.

This issue was discovered internally by a member of the GitLab team.

Requirement to enforce 2FA is not honored when using git commands

In all versions of GitLab CE/EE since version 11.0, the requirement to enforce
2FA is not honored when using git commands. This is a medium severity issue
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the
latest release and is assigned CVE-2021-39874.

Thanks @melar_dev for reporting this vulnerability through our HackerOne bug
bounty program.

Content spoofing vulnerability

In all versions of GitLab CE/EE, there exists a content spoofing vulnerability
which may be leveraged by attackers to trick users into visiting a malicious
website by spoofing the content in an error response. This is a medium severity
issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, 4.3). It is now mitigated
in the latest release and is assigned CVE-2021-39873.

Thanks @w00t1 for reporting this vulnerability through our HackerOne bug bounty
program.

Improper session management in impersonation feature

In all versions of GitLab CE/EE since version 8.0, when an admin uses the
impersonate feature twice and stops impersonating, the admin may be logged in
as the second user they impersonated, which may lead to repudiation issues.
This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N,
3.8). We have requested a CVE ID and will update this blog post when it is
assigned.

This vulnerability was reported to GitLab by a customer.

Create OAuth application with arbitrary scopes through content spoofing

In all versions of GitLab CE/EE since version 7.7, the application may let a
malicious user create an OAuth client application with arbitrary scope names
which may allow the malicious user to trick unsuspecting users to authorize the
malicious client application using the spoofed scope name and description. This
is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, 3.5). It
is now mitigated in the latest release and is assigned CVE-2021-39881.

Thanks @executor for reporting this vulnerability through our HackerOne bug
bounty program.

Lack of account lockout on change password functionality

In all versions of GitLab CE/EE, an attacker with access to a user's session
may brute force the user's password via the change password function. There is
a rate limit in place, but the attack may still be conducted by splitting the
attack over several IP addresses. This is a low severity issue (CVSS:3.0/AV:P/
AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N, 2.9). We have requested a CVE ID and will
update this blog post when it is assigned.

This vulnerability was discovered internally by the GitLab team.

Epic reference was not updated while moved between groups

Permissions rules were not applied while issues were moved between projects of
the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing
users to read confidential Epic references. This is a low severity issue
(CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6). It is now mitigated in the
latest release and is assigned CVE-2021-39886.

This vulnerability was discovered internally by the GitLab team.

Missing authentication allows disabling of two-factor authentication

Missing authentication in all versions of GitLab CE/EE since version 7.11.0
allows an attacker with access to a victim's session to disable two-factor
authentication. This is a low severity issue (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/
C:N/I:L/A:N, 2.2). It is now mitigated in the latest release and is assigned
CVE-2021-39879.

This vulnerability has been discovered internally by the GitLab team.

Information disclosure in SendEntry

Information disclosure from SendEntry in GitLab starting with 10.8 allowed
exposure of full URL of artifacts stored in object-storage with a temporary
availability via Rails logs. This is a low severity issue (CVSS:3.0/AV:N/AC:H/
PR:H/UI:R/S:U/C:L/I:N/A:N, 2.0). We have requested a CVE ID and will update
this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit
our contact us page. To receive release notifications via RSS, subscribe to our
security release RSS feed or our RSS feed for all releases.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYVZd3eNLKJtyKPYoAQgU0A/+J7Pw7g9VCF4K9RYMNik6gd+VplLvAE8Z
KeVXm80dMC4fM+eU0hnutO93yxBbwU4Ge80ZhLujQwmdAluzJQnhDFemYdSYzxYh
nx0BEn49nUgEVAWGP7OYsygH3DH6AJv5uaYSpDYoJlxusyAlSUChO4Zcah8elr1+
DmZdZdaEITsSWDU7vsT7kyqTe/QDzgc6pa6qd9RFpJ9nWT3lHJRPWgRVWyMiGjMT
eVwA4eiuonRvLAiaDmZ71A/CXX8rXXJW+fRfom/8M/yLH1eAWobdWnMctz8eyNXW
mH90jSxWwC3Fm0EQQxZDdXTLEUFit+0eLoibvcPoziqx5h+DqyYldgldrk+YnJvK
S5Z2VSH2Jr/ajwt8LlkMTeyA53FzNrO8JKLGwcLY/pAxg6KC2F/zMA+bv52x1Tu8
lCf2qtqNr9aXi9wgOruqqgNBK/FHLU+790KFel/Fdmbpy7F05ZDoaNgG3vjryrCy
S2P8+kCasFF4UYwFIVnSVKZyX+49dBRL1NLK1aJ1dHaZ3Jk7B94sIlrggY9NeZsZ
v48NcbzAV+2N2GdeMRObDJg3VH7ZLUpINjuPta6wBcB+EeTxOx21mYS5nTtmmK12
8Qy3dAuOLw6zhTY9AjcmQw+CQ2TtvcbhHStLh+c83F0p3JAXjZki7f6GxextfCUz
hFAk3UAF8ug=
=UWuM
-----END PGP SIGNATURE-----