Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.2463 GitLab Security Release: 15.11.1, 15.10.5, and 15.9.6 3 May 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition (CE) GitLab Enterprise Edition (EE) Publisher: GitLab Operating System: Windows Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2023-2182 CVE-2023-2069 CVE-2023-1965 CVE-2023-1836 CVE-2023-1621 CVE-2023-1410 CVE-2023-1178 CVE-2023-0805 CVE-2023-0756 CVE-2023-0464 CVE-2022-4376 Original Bulletin: https://about.gitlab.com/releases/2023/05/02/security-release-gitlab-15-11-1-released/ Comment: CVSS (Max): 7.5* CVE-2023-0464 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * Not all CVSS available when published - --------------------------BEGIN INCLUDED TEXT-------------------- GitLab Security Release: 15.11.1, 15.10.5, and 15.9.6 Today we are releasing versions 15.11.1, 15.10.5, and 15.9.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Table of Fixes Title Severity Privilege escalation for external users when OIDC is enabled under medium certain conditions Account takeover through open redirect for Group SAML accounts medium Users on banned IP addresses can still commit to projects medium User with developer role (group) can modify Protected branches setting medium on imported project and leak group CI/CD variables The Gitlab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a medium release. Banned group member continues to have access to the public projects of medium a public group with the access level as same as before the ban. The main branch of a repository with a specially designed name allows medium an attacker to create repositories with malicious code. XSS and content injection and iframe injection when viewing raw files medium on iOS devices Authenticated users can find other users by their private email low Privilege escalation for external users when OIDC is enabled under certain conditions An issue has been discovered in GitLab EE affecting all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions when OpenID Connect is enabled on an instance, it may allow users who are marked as 'external' to become 'regular' users thus leading to privilege escalation for those users. This is a medium severity issue (CVSS:3.1 /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the latest release and is assigned CVE-2023-2182. This vulnerability was reported to us by a customer. Account takeover through open redirect for Group SAML accounts An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the latest release and is assigned CVE-2023-1965. If you are seeing an unexpected redirect after sign in through SAML, ensure the RelayState setting on the identity provider side is set to a valid URL. Thanks bull for reporting this vulnerability through our HackerOne bug bounty program. Users on banned IP addresses can still commit to projects An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to commit to projects even from a restricted IP address. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L /UI:N/S:U/C:N/I:H/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-1621. User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, 6.4). It is now mitigated in the latest release and is assigned CVE-2023-2069. Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. Fix for this issue was to restrict imports to users with Maintainer and above role. That however affected usage of custom project templates, on group and instance levels as well, and Developers are no longer able to create projects from custom templates. We are working on the fix, that will allow users with Developer role to create projects from templates again, and will release a patch with this fix to GitLab versions 15.11.1, 15.10.5. The Gitlab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release. An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. This is a medium severity issue (CVSS:3.1/ AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7). It is now mitigated in the latest release and is assigned CVE-2023-1178. Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program. Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban. An issue has been discovered in GitLab EE affecting all versions starting from 15.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to have access to the public projects of a public group even after being banned from the public group by the owner. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9). It is now mitigated in the latest release and is assigned CVE-2023-0805. Thanks albatraoz for reporting this vulnerability through our HackerOne bug bounty program. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code. An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/ I:H/A:N, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-0756. Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program. XSS and content injection and iframe injection when viewing raw files on iOS devices A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed on an iOS device. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/ PR:L/UI:R/S:C/C:L/I:L/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-1836. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Authenticated users can find other users by their private email An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions, an attacker may be able to map a private email of a GitLab user to their GitLab account on an instance. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-4376. Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program. Update Mattermost Mattermost has been updated to versions 7.9.1 and 7.9.2 in order to mitigate security issues. Patch OpenSSL A patch has been applied to mitigate CVE-2023-0464 in GitLab Omnibus. Patch Grafana A patch has been applied to mitigate CVE-2023-1410 in GitLab Omnibus. Non Security Patches This security release also includes the following non-security patches. 15.11.1 o 15.11: Fix Web IDE Beta icons not loading in Safari o Move approved filter behind mr_approved_filter feature flag o Fix search cron worker when indexing is disabled 15.10.5 o Use proxied_site for geo proxied clone urls Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases. GitLab Security Release: 15.11.1, 15.10.5, and 15.9.6 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZFG0JskNZI30y1K9AQhV+Q/+IH+li9crzFtxdQBcUI1AkPELqznjeykp PLBcFbvDT5HKk4/HfTkrp4qDtSJDBEkwjRHMKv/xcr2v4bi9asoEEy1Ty7XHW5ts aRiUcgeVMKmedkWW0Xohm6eBlZwzp7YH0xL7+/vhZa9D5i5e6ijk+B0n1T7aKGMJ DgfK6prOjrNiMz6EMGCUB7hK6+eS23mcOQ4JfZdTt4Q+aENM9C5DfgD2f/Y36NnH gHuPVFBj+kPQ+OliISoyEKBIH9HZW7TY44kJ4RmOvJL2vlfZQl8NA/AXbtQs47vE dcZ4e27kNT9gvKrL+OzmXe1l0BT5eoH8YoDWV1wG9qrPKPW15kGKTh6DT3e/IzIy vyjQR3i21R7UW28o/QCmGWKP5FDh5gIRULftW8sponkkjYEVu4HpDCUnTGFxAiY0 6E+Fc3OFHgbZJWpuUBvopsVgWIhCLQYS9LMd3tNPFmcsOuQukR/6jJJncHWaxbZv rodDrXsSH/HMxXR762Hav+qxoB8qqSoOTyzifiq2Zoc9SxYLtNoHrT3+AYF05Tb3 S9lO4NoeA//+vLka9b1ZBM0t/qUpngM9fz1zVkwQDWeDW1YE7aFgtgfPA+C6Q6D4 5hKAonMhYOidNMMCo1X1U8w4acS3on/xyOo6XH/++wiNyR1TdqegCSWdZo5NQVQh WLXrh6/b3rk= =4Gch -----END PGP SIGNATURE-----