Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.2463
GitLab Security Release: 15.11.1, 15.10.5, and 15.9.6
3 May 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Publisher: GitLab
Operating System: Windows
Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2023-2182 CVE-2023-2069 CVE-2023-1965
CVE-2023-1836 CVE-2023-1621 CVE-2023-1410
CVE-2023-1178 CVE-2023-0805 CVE-2023-0756
CVE-2023-0464 CVE-2022-4376
Original Bulletin:
https://about.gitlab.com/releases/2023/05/02/security-release-gitlab-15-11-1-released/
Comment: CVSS (Max): 7.5* CVE-2023-0464 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* Not all CVSS available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
GitLab Security Release: 15.11.1, 15.10.5, and 15.9.6
Today we are releasing versions 15.11.1, 15.10.5, and 15.9.6 for GitLab
Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.
GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a
product is mentioned, this means all types are affected.
Table of Fixes
Title Severity
Privilege escalation for external users when OIDC is enabled under medium
certain conditions
Account takeover through open redirect for Group SAML accounts medium
Users on banned IP addresses can still commit to projects medium
User with developer role (group) can modify Protected branches setting medium
on imported project and leak group CI/CD variables
The Gitlab web interface does not guarantee file integrity when
downloading source code or installation packages from a tag or from a medium
release.
Banned group member continues to have access to the public projects of medium
a public group with the access level as same as before the ban.
The main branch of a repository with a specially designed name allows medium
an attacker to create repositories with malicious code.
XSS and content injection and iframe injection when viewing raw files medium
on iOS devices
Authenticated users can find other users by their private email low
Privilege escalation for external users when OIDC is enabled under certain
conditions
An issue has been discovered in GitLab EE affecting all versions starting from
15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under
certain conditions when OpenID Connect is enabled on an instance, it may allow
users who are marked as 'external' to become 'regular' users thus leading to
privilege escalation for those users. This is a medium severity issue (CVSS:3.1
/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the latest
release and is assigned CVE-2023-2182.
This vulnerability was reported to us by a customer.
Account takeover through open redirect for Group SAML accounts
An issue has been discovered in GitLab EE affecting all versions starting from
14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all
versions starting from 15.11 before 15.11.1. Lack of verification on RelayState
parameter allowed a maliciously crafted URL to obtain access tokens granted for
3rd party Group SAML SSO logins. This feature isn't enabled by default. This is
a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, 6.8). It
is now mitigated in the latest release and is assigned CVE-2023-1965.
If you are seeing an unexpected redirect after sign in through SAML, ensure the
RelayState setting on the identity provider side is set to a valid URL.
Thanks bull for reporting this vulnerability through our HackerOne bug bounty
program.
Users on banned IP addresses can still commit to projects
An issue has been discovered in GitLab EE affecting all versions starting from
12.0 before 15.10.5, all versions starting from 15.11 before 15.11.1. A
malicious group member may continue to commit to projects even from a
restricted IP address. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L
/UI:N/S:U/C:N/I:H/A:N, 6.5). It is now mitigated in the latest release and is
assigned CVE-2023-1621.
User with developer role (group) can modify Protected branches setting on
imported project and leak group CI/CD variables
An issue has been discovered in GitLab affecting all versions starting from
10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all
versions starting from 13.0 before 13.0.1. A user with the role of developer
could use the import project feature to leak CI/CD variables. This is a medium
severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, 6.4). It is now
mitigated in the latest release and is assigned CVE-2023-2069.
Thanks js_noob for reporting this vulnerability through our HackerOne bug
bounty program.
Fix for this issue was to restrict imports to users with Maintainer and above
role. That however affected usage of custom project templates, on group and
instance levels as well, and Developers are no longer able to create projects
from custom templates. We are working on the fix, that will allow users with
Developer role to create projects from templates again, and will release a
patch with this fix to GitLab versions 15.11.1, 15.10.5.
The Gitlab web interface does not guarantee file integrity when downloading
source code or installation packages from a tag or from a release.
An issue has been discovered in GitLab CE/EE affecting all versions from 8.6
before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions
starting from 15.11 before 15.11.1. File integrity may be compromised when
source code or installation packages are pulled from a tag or from a release
containing a ref to another commit. This is a medium severity issue (CVSS:3.1/
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7). It is now mitigated in the latest
release and is assigned CVE-2023-1178.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug
bounty program.
Banned group member continues to have access to the public projects of a public
group with the access level as same as before the ban.
An issue has been discovered in GitLab EE affecting all versions starting from
15.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all
versions starting from 15.11 before 15.11.1. A malicious group member may
continue to have access to the public projects of a public group even after
being banned from the public group by the owner. This is a medium severity
issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9). It is now mitigated
in the latest release and is assigned CVE-2023-0805.
Thanks albatraoz for reporting this vulnerability through our HackerOne bug
bounty program.
The main branch of a repository with a specially designed name allows an
attacker to create repositories with malicious code.
An issue has been discovered in GitLab affecting all versions before 15.9.6,
all versions starting from 15.10 before 15.10.5, all versions starting from
15.11 before 15.11.1. The main branch of a repository with a specially crafted
name allows an attacker to create repositories with malicious code, victims who
clone or download these repositories will execute arbitrary code on their
systems. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/
I:H/A:N, 4.8). It is now mitigated in the latest release and is assigned
CVE-2023-0756.
Thanks st4nly0n for reporting this vulnerability through our HackerOne bug
bounty program.
XSS and content injection and iframe injection when viewing raw files on iOS
devices
A cross-site scripting issue has been discovered in GitLab affecting all
versions starting from 5.1 before 15.9.6, all versions starting from 15.10
before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing
an XML file in a repository in "raw" mode, it can be made to render as HTML if
viewed on an iOS device. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/
PR:L/UI:R/S:C/C:L/I:L/A:N, 4.4). It is now mitigated in the latest release and
is assigned CVE-2023-1836.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.
Authenticated users can find other users by their private email
An issue has been discovered in GitLab affecting all versions before 15.9.6,
all versions starting from 15.10 before 15.10.5, all versions starting from
15.11 before 15.11.1. Under certain conditions, an attacker may be able to map
a private email of a GitLab user to their GitLab account on an instance. This
is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It
is now mitigated in the latest release and is assigned CVE-2022-4376.
Thanks shells3c for reporting this vulnerability through our HackerOne bug
bounty program.
Update Mattermost
Mattermost has been updated to versions 7.9.1 and 7.9.2 in order to mitigate
security issues.
Patch OpenSSL
A patch has been applied to mitigate CVE-2023-0464 in GitLab Omnibus.
Patch Grafana
A patch has been applied to mitigate CVE-2023-1410 in GitLab Omnibus.
Non Security Patches
This security release also includes the following non-security patches.
15.11.1
o 15.11: Fix Web IDE Beta icons not loading in Safari
o Move approved filter behind mr_approved_filter feature flag
o Fix search cron worker when indexing is disabled
15.10.5
o Use proxied_site for geo proxied clone urls
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.
Receive Security Release Notifications
To receive security release blog notifications delivered to your inbox,
visit our contact us page. To receive release notifications via RSS, subscribe
to our security release RSS feed or our RSS feed for all releases.
GitLab Security Release: 15.11.1, 15.10.5, and 15.9.6
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZFG0JskNZI30y1K9AQhV+Q/+IH+li9crzFtxdQBcUI1AkPELqznjeykp
PLBcFbvDT5HKk4/HfTkrp4qDtSJDBEkwjRHMKv/xcr2v4bi9asoEEy1Ty7XHW5ts
aRiUcgeVMKmedkWW0Xohm6eBlZwzp7YH0xL7+/vhZa9D5i5e6ijk+B0n1T7aKGMJ
DgfK6prOjrNiMz6EMGCUB7hK6+eS23mcOQ4JfZdTt4Q+aENM9C5DfgD2f/Y36NnH
gHuPVFBj+kPQ+OliISoyEKBIH9HZW7TY44kJ4RmOvJL2vlfZQl8NA/AXbtQs47vE
dcZ4e27kNT9gvKrL+OzmXe1l0BT5eoH8YoDWV1wG9qrPKPW15kGKTh6DT3e/IzIy
vyjQR3i21R7UW28o/QCmGWKP5FDh5gIRULftW8sponkkjYEVu4HpDCUnTGFxAiY0
6E+Fc3OFHgbZJWpuUBvopsVgWIhCLQYS9LMd3tNPFmcsOuQukR/6jJJncHWaxbZv
rodDrXsSH/HMxXR762Hav+qxoB8qqSoOTyzifiq2Zoc9SxYLtNoHrT3+AYF05Tb3
S9lO4NoeA//+vLka9b1ZBM0t/qUpngM9fz1zVkwQDWeDW1YE7aFgtgfPA+C6Q6D4
5hKAonMhYOidNMMCo1X1U8w4acS3on/xyOo6XH/++wiNyR1TdqegCSWdZo5NQVQh
WLXrh6/b3rk=
=4Gch
-----END PGP SIGNATURE-----