May 29, 2018 - James Ritchey  

GitLab Security Release: 10.8.2, 10.7.5, and 10.6.6

Today we are releasing versions 10.8.2, 10.7.5, and 10.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

Git updates

We've included updated Git security versions 2.16.4 and 2.14.4 in this latest release for 10.8.2, 10.7.5, and 10.6.6.

For more information, see Git release notes

Removing public deploy keys regression

The delete deploy key operation contained a security issue which could allow an attacker to delete shared deploy keys. The issue is now resolved in the latest release.

Thanks to Christian Seelheim for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.1.6 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Users can update their password without entering current password

The settings page contained an unverified password change weakness which could've been used to reset a user's password without knowing the user's current password. This only worked if either the attacker had hijacked a victim's session or had access to a victim's email address to intercept a password reset token.

Thanks to Jobert via HackerOne for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 1.0 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Persistent XSS - Selecting users as allowed merge request approvers

The merge request approvers dropdown in GitLab EE contained a persistent xss issue which is now resolved in the latest release.

Thanks to phillycheeze for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 9.1 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Persistent XSS - Multiple locations of user selection drop downs

The user select drop down contained a persistent xss issue in GitLab EE which is now resolved in the latest release.

Thanks to phillycheeze for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 9.1 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

include directive in .gitlab-ci.yml allows SSRF requests

Arbitrary GET request could be performed against internal resources due to include directive in .gitlab-ci.yml. Data exfiltration potential is limited to resources that respond with a YAML file following certain constraints. This issue is now resolved in the latest release.

Versions Affected

Affects GitLab EE 10.5 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Permissions issue in Merge Requests Create Service

Users which were not project members could create merge requests via a fork for internal projects. This issue is now resolved in the latest release.

Versions Affected

Affects GitLab CE/EE 10.6.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Arbitrary assignment of project fields using "Import project"

Any project model database column can be controlled on import by fields in the project.json of an exported project. This issue is now resolved in the latest release.

Thanks to Jobert via HackerOne for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.4 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Updating

To update, check out our update page.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS, openSUSE, and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.