Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3608
GitLab Security Release: 14.4.1, 14.3.4, and 14.2.6
29 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Publisher: GitLab
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Virtualisation
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-39914 CVE-2021-39913 CVE-2021-39912
CVE-2021-39911 CVE-2021-39909 CVE-2021-39907
CVE-2021-39906 CVE-2021-39905 CVE-2021-39904
CVE-2021-39903 CVE-2021-39902 CVE-2021-39901
CVE-2021-39898 CVE-2021-39897 CVE-2021-39895
Original Bulletin:
https://about.gitlab.com/releases/2021/10/28/security-release-gitlab-14-4-1-released/
- --------------------------BEGIN INCLUDED TEXT--------------------
Oct 28, 2021 - Nikhil George
GitLab Security Release: 14.4.1, 14.3.4, and 14.2.6
Today we are releasing versions 14.4.1, 14.3.4, and 14.2.6 for GitLab Community
Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.
Table of Fixes
Title Severity
Stored XSS via ipynb files high
Pipeline schedules on imported projects can be set to automatically medium
active after import
Potential Denial of service via Workhorse medium
Improper Access Control allows Merge Request creator to bypass locked medium
status
Projects API discloses ID and name of private groups medium
Severity of an incident can be changed by a guest user medium
System root password accidentally written to log file medium
Potential DoS via a malformed TIFF image medium
Bypass of CODEOWNERS Merge Request approval requirement medium
Change project visibility to a restricted option medium
Project exports leak external webhook token value low
SCIM token is visible after creation low
Invited group members, with access inherited from parent group,
continue to have project access even after invited subgroup is low
transfered
Regular expression denial of service issue when cleaning namespace low
path
Prevent creation of scopeless apps using applications API low
Webhook data exposes assignee's private email address low
Stored XSS via ipynb files
Improper validation of ipynb files in GitLab CE/EE version 13.5 and above
allows an attacker to execute arbitrary JavaScript code on the victim's behalf.
This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N,
8.7). It is now mitigated in the latest release and is assigned CVE-2021-39906.
Thanks @saleemrashid for reporting this vulnerability through our HackerOne bug
bounty program.
Pipeline schedules on imported projects can be set to automatically active
after import
In all versions of GitLab CE/EE since version 8.0, an attacker can set the
pipeline schedules to be active in a project export so when an unsuspecting
owner imports that project, pipelines are active by default on that project.
Under specialized conditions, this may lead to information disclosure if the
project is imported from an untrusted source. This is a medium severity issue
(CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L, 6.0). It is now mitigated in the
latest release and is assigned CVE-2021-39895.
Thanks @justas_b for reporting this vulnerability through our HackerOne bug
bounty program.
Potential Denial of service via Workhorse
A potential DOS vulnerability was discovered in GitLab CE/EE starting with
version 13.7. The stripping of EXIF data from certain images resulted in high
CPU usage. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L, 5.3). It is now mitigated in the latest release and is assigned
CVE-2021-39907.
Thanks @ajxchapman for reporting this vulnerability through our HackerOne bug
bounty program.
Improper Access Control allows Merge Request creator to bypass locked status
An Improper Access Control vulnerability in the GraphQL API in GitLab CE/EE
since version 13.1 allows a Merge Request creator to resolve discussions and
apply suggestions after a project owner has locked the Merge Request. This is a
medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It
is now mitigated in the latest release and is assigned CVE-2021-39904.
Thanks @jimeno for reporting this vulnerability through our HackerOne bug
bounty program.
Projects API discloses ID and name of private groups
An information disclosure vulnerability in the GitLab CE/EE API since version
8.9.6 allows a user to see basic information on private groups that a public
project has been shared with. This is a medium severity issue (CVSS:3.0/AV:N/
AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release
and is assigned CVE-2021-39905.
Thanks @rafiem for reporting this vulnerability through our HackerOne bug
bounty program.
Severity of an incident can be changed by a guest user
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest
membership in a project to modify the severity of an incident. This is a medium
severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now
mitigated in the latest release and is assigned CVE-2021-39902.
Thanks @cradlr for reporting this vulnerability through our HackerOne bug
bounty program.
System root password accidentally written to log file
Accidental logging of system root password in the migration log in all versions
of GitLab CE/EE allows an attacker with local file system access to obtain
system root-level privileges. This is a medium severity issue (CVSS:3.0/AV:L/
AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). It is now mitigated in the latest release
and is assigned CVE-2021-39913.
This vulnerability has been discovered internally by the GitLab team.
Potential DoS via a malformed TIFF image
A potential DoS vulnerability was discovered in GitLab CE/EE starting with
version 13.7. Using a malformed TIFF images was possible to trigger memory
exhaustion. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L, 5.3). It is now mitigated in the latest release and is assigned
CVE-2021-39912.
Thanks @haquaman for reporting this vulnerability through our HackerOne bug
bounty program.
Bypass of CODEOWNERS Merge Request approval requirement
Lack of email address ownership verification in the CODEOWNERS feature in all
versions of GitLab EE since version 11.3 allows an attacker to bypass
CODEOWNERS Merge Request approval requirement under rare circumstances. This is
a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N, 5.3). It
is now mitigated in the latest release and is assigned CVE-2021-39909.
Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug
bounty program.
Change project visibility to a restricted option
In all versions of GitLab CE/EE since version 13.0, a low privileged user,
through an API call, can change the visibility level of a group or a project to
a restricted option even after the instance administrator sets that visibility
option as restricted in settings. This is a medium severity issue (CVSS:3.0/
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, 6.5). It is now mitigated in the latest
release and is assigned CVE-2021-39903.
Thanks @s4nderdevelopment for reporting this vulnerability through our
HackerOne bug bounty program.
Project exports leak external webhook token value
In all versions of GitLab CE/EE since version 10.6, a project export leaks the
external webhook token value which may allow access to the project which it was
exported from. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/
C:L/I:N/A:N, 3.7). It is now mitigated in the latest release and is assigned
CVE-2021-39898.
Thanks @xanbanx for reporting this vulnerability through our HackerOne bug
bounty program.
SCIM token is visible after creation
In all versions of GitLab CE/EE since version 11.10, an admin of a group can
see the SCIM token of that group by visiting a specific endpoint. This is a low
severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, 2.7). It is now
mitigated in the latest release and is assigned CVE-2021-39901.
Thanks @ngalog for reporting this vulnerability through our HackerOne bug
bounty program.
Invited group members, with access inherited from parent group, continue to
have project access even after invited subgroup is transfered
Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup
members with inherited access to a project from a parent group to still have
access even after the subgroup is transferred. This is a low severity issue
(CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6). It is now mitigated in the
latest release and is assigned CVE-2021-39897.
Thanks @joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.
Regular expression denial of service issue when cleaning namespace path
A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5,
14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a
specially crafted username was used when provisioning a new user. This is a low
severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L, 3.1). It is now
mitigated in the latest release and is assigned CVE-2021-39914.
This vulnerability has been discovered internally by the GitLab team
Prevent creation of scopeless apps using applications API
The application api in GitLab CE/EE version 10.5 and above allowed creation of
scopeless apps. This is a low severity issue and is now mitigated in latest
release.
This vulnerability has been discovered internally by the GitLab team
Webhook data exposes assignee's private email address
An improper access control flaw in GitLab CE/EE since version 13.9 exposes
private email address of Issue and Merge Requests assignee to Webhook data
consumers. This is a low severity issue (CVSS:3.0/AV:P/AC:H/PR:L/UI:R/S:U/C:L/
I:N/A:N, 1.7). It is now mitigated in the latest release and is assigned
CVE-2021-39911.
This vulnerability has been discovered internally by the GitLab team.
Update Redis
The version of Redis included in GitLab Omnibus has been updated to 6.0.16 in
order to mitigate security concerns.
Versions affected
Affects all versions of GitLab Omnibus
Update OpenSSL
The version of OpenSSL included in GitLab Omnibus has been updated to 1.1.1l in
order to mitigate security concerns.
Versions affected
Affects all versions of GitLab Omnibus
Update Curl
The version of Curl included in GitLab Omnibus has been updated to 7.79.1 in
order to mitigate security concerns.
Versions affected
Affects all versions of GitLab Omnibus
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.
Receive Security Release Notifications
To receive security release blog notifications delivered to your inbox, visit
our contact us page. To receive release notifications via RSS, subscribe to our
security release RSS feed or our RSS feed for all releases.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYXtE+uNLKJtyKPYoAQgbMQ/9Gz5oB7Zqh+Qp/Jdkgidj/FFKKa2EprTO
oNIEQ9gTyuhp9Yk2p2hvnYKVPB5SwCxliTebGKw9lxlTUYPEauRFnLSiqxgPWw6j
6CycY7mELJJC422RkKXDU7BsSqG67elEr0UBYSPJ0Rxi1QZhln2lKbZnHbXmPyIp
1LpGkCMeIhQOL9l1S9YGjrt3MuPWIeKS6+UrEg0s4nrPZ8PNb5DYDm1q8tvBrl81
ifI1ZOMAHMuqJChiDI20GQX2IWvDvPi82Y7t7VdbUl0xQdLjkOmzilUHWC9Wv4Cv
My1v6G2Y/3quFdEq1lE48/2o78AWEoTqW6kUY2yNEW+uGXTPJtoqzK4p3fYTNzQA
D68RCj9NPOHOl5QYADhObvgnMNNAjYNfhQ6MIdWapsTb+IdiDuSMC5F2FYqRzgpo
Vb3/WvG3FKbi8Nl/N8/YzH8N8IRXQR0uvm9VzVSkw8ctlJWBvJ+mQGlDhszi09Uo
q/IWoTq+gSbSo/APzzn3jLVUdZ+jsmXT4y+Bk4QRGN5mzxmGJEDeqndL1VtFR/H8
35YVZxRQZQHC34DhiRELSmbRJdJLWTJLfa8f37uO/q1mnSoK8BsP+/J6aQTHIUYr
+BbYXZJAOFE8SFHK/lPW+T2PdHXizf84wHoxxzo9sfLYRal+LxUC52b8zokmRE/v
kCNFQCzsc64=
=e/yR
-----END PGP SIGNATURE-----