Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3608 GitLab Security Release: 14.4.1, 14.3.4, and 14.2.6 29 October 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition (CE) GitLab Enterprise Edition (EE) Publisher: GitLab Operating System: Windows UNIX variants (UNIX, Linux, OSX) Virtualisation Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Existing Account Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-39914 CVE-2021-39913 CVE-2021-39912 CVE-2021-39911 CVE-2021-39909 CVE-2021-39907 CVE-2021-39906 CVE-2021-39905 CVE-2021-39904 CVE-2021-39903 CVE-2021-39902 CVE-2021-39901 CVE-2021-39898 CVE-2021-39897 CVE-2021-39895 Original Bulletin: https://about.gitlab.com/releases/2021/10/28/security-release-gitlab-14-4-1-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- Oct 28, 2021 - Nikhil George GitLab Security Release: 14.4.1, 14.3.4, and 14.2.6 Today we are releasing versions 14.4.1, 14.3.4, and 14.2.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. Table of Fixes Title Severity Stored XSS via ipynb files high Pipeline schedules on imported projects can be set to automatically medium active after import Potential Denial of service via Workhorse medium Improper Access Control allows Merge Request creator to bypass locked medium status Projects API discloses ID and name of private groups medium Severity of an incident can be changed by a guest user medium System root password accidentally written to log file medium Potential DoS via a malformed TIFF image medium Bypass of CODEOWNERS Merge Request approval requirement medium Change project visibility to a restricted option medium Project exports leak external webhook token value low SCIM token is visible after creation low Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is low transfered Regular expression denial of service issue when cleaning namespace low path Prevent creation of scopeless apps using applications API low Webhook data exposes assignee's private email address low Stored XSS via ipynb files Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-39906. Thanks @saleemrashid for reporting this vulnerability through our HackerOne bug bounty program. Pipeline schedules on imported projects can be set to automatically active after import In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L, 6.0). It is now mitigated in the latest release and is assigned CVE-2021-39895. Thanks @justas_b for reporting this vulnerability through our HackerOne bug bounty program. Potential Denial of service via Workhorse A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39907. Thanks @ajxchapman for reporting this vulnerability through our HackerOne bug bounty program. Improper Access Control allows Merge Request creator to bypass locked status An Improper Access Control vulnerability in the GraphQL API in GitLab CE/EE since version 13.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39904. Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program. Projects API discloses ID and name of private groups An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with. This is a medium severity issue (CVSS:3.0/AV:N/ AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39905. Thanks @rafiem for reporting this vulnerability through our HackerOne bug bounty program. Severity of an incident can be changed by a guest user Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39902. Thanks @cradlr for reporting this vulnerability through our HackerOne bug bounty program. System root password accidentally written to log file Accidental logging of system root password in the migration log in all versions of GitLab CE/EE allows an attacker with local file system access to obtain system root-level privileges. This is a medium severity issue (CVSS:3.0/AV:L/ AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2021-39913. This vulnerability has been discovered internally by the GitLab team. Potential DoS via a malformed TIFF image A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39912. Thanks @haquaman for reporting this vulnerability through our HackerOne bug bounty program. Bypass of CODEOWNERS Merge Request approval requirement Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE since version 11.3 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39909. Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program. Change project visibility to a restricted option In all versions of GitLab CE/EE since version 13.0, a low privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings. This is a medium severity issue (CVSS:3.0/ AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39903. Thanks @s4nderdevelopment for reporting this vulnerability through our HackerOne bug bounty program. Project exports leak external webhook token value In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/ C:L/I:N/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2021-39898. Thanks @xanbanx for reporting this vulnerability through our HackerOne bug bounty program. SCIM token is visible after creation In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, 2.7). It is now mitigated in the latest release and is assigned CVE-2021-39901. Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program. Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6). It is now mitigated in the latest release and is assigned CVE-2021-39897. Thanks @joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Regular expression denial of service issue when cleaning namespace path A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-39914. This vulnerability has been discovered internally by the GitLab team Prevent creation of scopeless apps using applications API The application api in GitLab CE/EE version 10.5 and above allowed creation of scopeless apps. This is a low severity issue and is now mitigated in latest release. This vulnerability has been discovered internally by the GitLab team Webhook data exposes assignee's private email address An improper access control flaw in GitLab CE/EE since version 13.9 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers. This is a low severity issue (CVSS:3.0/AV:P/AC:H/PR:L/UI:R/S:U/C:L/ I:N/A:N, 1.7). It is now mitigated in the latest release and is assigned CVE-2021-39911. This vulnerability has been discovered internally by the GitLab team. Update Redis The version of Redis included in GitLab Omnibus has been updated to 6.0.16 in order to mitigate security concerns. Versions affected Affects all versions of GitLab Omnibus Update OpenSSL The version of OpenSSL included in GitLab Omnibus has been updated to 1.1.1l in order to mitigate security concerns. Versions affected Affects all versions of GitLab Omnibus Update Curl The version of Curl included in GitLab Omnibus has been updated to 7.79.1 in order to mitigate security concerns. Versions affected Affects all versions of GitLab Omnibus Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYXtE+uNLKJtyKPYoAQgbMQ/9Gz5oB7Zqh+Qp/Jdkgidj/FFKKa2EprTO oNIEQ9gTyuhp9Yk2p2hvnYKVPB5SwCxliTebGKw9lxlTUYPEauRFnLSiqxgPWw6j 6CycY7mELJJC422RkKXDU7BsSqG67elEr0UBYSPJ0Rxi1QZhln2lKbZnHbXmPyIp 1LpGkCMeIhQOL9l1S9YGjrt3MuPWIeKS6+UrEg0s4nrPZ8PNb5DYDm1q8tvBrl81 ifI1ZOMAHMuqJChiDI20GQX2IWvDvPi82Y7t7VdbUl0xQdLjkOmzilUHWC9Wv4Cv My1v6G2Y/3quFdEq1lE48/2o78AWEoTqW6kUY2yNEW+uGXTPJtoqzK4p3fYTNzQA D68RCj9NPOHOl5QYADhObvgnMNNAjYNfhQ6MIdWapsTb+IdiDuSMC5F2FYqRzgpo Vb3/WvG3FKbi8Nl/N8/YzH8N8IRXQR0uvm9VzVSkw8ctlJWBvJ+mQGlDhszi09Uo q/IWoTq+gSbSo/APzzn3jLVUdZ+jsmXT4y+Bk4QRGN5mzxmGJEDeqndL1VtFR/H8 35YVZxRQZQHC34DhiRELSmbRJdJLWTJLfa8f37uO/q1mnSoK8BsP+/J6aQTHIUYr +BbYXZJAOFE8SFHK/lPW+T2PdHXizf84wHoxxzo9sfLYRal+LxUC52b8zokmRE/v kCNFQCzsc64= =e/yR -----END PGP SIGNATURE-----