Jan 31, 2019 - Ethan Strike  

GitLab Security Release: 11.7.3, 11.6.8, 11.5.10

Today we are releasing versions 11.7.3, 11.6.8, and 11.5.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

These versions are the public releases following 11.7.0, 11.6.5, and 11.5.7. The intermediate versions were not made public for quality assurance reasons.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

Remote Command Execution via GitLab Pages

GitLab Pages contained a directory traversal vulnerability that could lead to remote command execution. The issue is now mitigated in the latest release and is assigned CVE-2019-6783.

Thanks to @bink for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE 8.17, and EE 8.3 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Covert Redirect to Steal GitHub/Bitbucket Tokens

For installations using GitHub or Bitbucket OAuth integrations, it was possible to use a covert redirect to obtain the user OAuth token for those services. This release moves the OAuth callbacks to a common path to mitigate the issue. The issue is now mitigated in the latest release and is assigned CVE-2019-6788.

Thanks to @mishre and @yipman for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.4 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Necessary Action: It is necessary to append /users/auth to the callback URL in GitHub or Bitbucket to fully protect against this issue. Please see our pages on the GitHub and Bitbucket integrations for more information.

Remote Mirror Branches Leaked by Git Transfer Refs

A Gitv2 feature used to hide certain internal references does not function correctly, and can reveal hidden refs. This release disables Gitv2 in GitLab until the problem is resolved. No additional action is required, even if Gitv2 was manually configured.

Versions Affected

Affects GitLab CE/EE 11.4 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Denial of Service with Markdown

It was found that inputting an overly long string into a Markdown field could cause a denial of service. The issue is now mitigated in the latest release and is assigned CVE-2019-6785.

Thanks to @8ayac for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 7.4 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Guests Can View List of Group Merge Requests

Guest users were able to view the list of a group's merge requests. The issue is now mitigated in the latest release and is assigned CVE-2019-6790.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.14 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Guest Can View Merge Request Titles via System Notes

System notes contained an access control issue that permitted a guest user to view merge request titles. The issue is now mitigated in the latest release and is assigned CVE-2019-6997.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.7 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Persistent XSS via KaTeX

Markdown fields contained a lack of input validation and output encoding when processing KaTeX that resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2019-6784.

Thanks to @jouko for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Emails Sent to Unauthorized Users

In some cases, users without project permissions received emails after a project move. For private projects, this would disclose the new project namespace to an unauthorized user. The issue is now mitigated in the latest release and is assigned CVE-2019-6789.

Versions Affected

Affects GitLab CE/EE 6.5 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

It was possible to use the profile name to inject a potentially malicious link into notification emails. The issue is now mitigated in the latest release and is assigned CVE-2019-6781.

Thanks to @corb3nik for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Unauthorized Access to LFS Objects

The contents of an LFS object could be accessed by an unauthorized user, if the file size and OID were known. The issue is now mitigated in the latest release and is assigned CVE-2019-6786.

Thanks to Maxim Ivanov for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.16 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Trigger Token Exposure

The GitLab API contained an authorization issue that permitted project Maintainers and Owners to view the trigger tokens of other project users. The issue is now mitigated in the latest release and is assigned CVE-2019-6787.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.12 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Upgrade Rails to 5.0.7.1 and 4.2.11

This release upgrades the version of Ruby on Rails included in GitLab to address CVE-2018-16476. GitLab versions 11.7 and 11.6 will now use Rails 5.0.7.1, and GitLab 11.5 will now use 4.2.11

Versions Affected

Affects GitLab CE/EE 8.3 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Contributed Project Information Visible in Private Profile

Due to an authorization issue the contributed project information of a private profile could be viewed. The issue is now mitigated in the latest release and is assigned CVE-2019-6782.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.3 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Imported Project Retains Prior Visibility Setting

When a project with visibility more permissive than the target group was imported, it would retain its prior visibility. This release will now change the visibility of the project to the visibility of the group. The issue is now mitigated in the latest release and is assigned CVE-2019-6791.

Versions Affected

Affects GitLab CE/EE 8.9 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Error disclosure on Project Import

When an error was encountered on project import, the error message would display instance internal information. The issue is now mitigated in the latest release and is assigned CVE-2019-6792.

Thanks to @nyangawa for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.9 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Persistent XSS in User Status

The user status field contained a lack of input validation and output encoding that resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2019-6796.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.6 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Last Commit Status Leaked to Guest Users

A project guest user could view the last commit status of the default branch. The issue is now mitigated in the latest release and is assigned CVE-2019-6794.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Mitigations for IDN Homograph and RTLO Attacks

IDN homographs and RTLO characters were rendered to unicode, which could be used for social engineering. The issue is now mitigated in the latest release and is assigned CVE-2019-6795.

Thanks to @edoverflow for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Access to Internal Wiki When External Wiki Enabled

Access to the internal wiki was permitted when an external wiki service was enabled. With this release, each type of wiki will be managed and displayed separately in the UI. The issue is now mitigated in the latest release and is assigned CVE-2019-6960.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 9.3 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

User Can Comment on Locked Project Issues

Users were able to comment on locked project issues. The issue is now mitigated in the latest release and is assigned CVE-2019-6995.

Thanks to @flashdisk and @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.6 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Unauthorized Reaction Emojis by Guest Users

Guest users were able to add reaction emojis on comments to which they had no visibility. The issue is now mitigated in the latest release and is assigned CVE-2019-7176.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.9 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

User Retains Project Role After Removal from Private Group

A user would retain their role within a project in a private group after being removed from the group, if their privileges within the project were different from the group. The issue is now mitigated in the latest release and is assigned CVE-2019-7155.

Thanks to @rpadovani for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 9.0 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

GitHub Token Leaked to Maintainers

The GitHub token used in CI/CD for External Repos was being leaked to project maintainers in the UI. The issue is now mitigated in the latest release and is assigned CVE-2019-6797.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 10.6 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Unauthenticated Blind SSRF in Jira Integration

The Jira integration feature was vulnerable to an unauthenticated blind SSRF issue. The issue is now mitigated in the latest release and is assigned CVE-2019-6793.

Thanks to @jobert for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 10.0 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Unauthorized Access to Group Membership

The merge request approvers section had an access control issue that permitted project maintainers to view membership of private groups. The issue is now mitigated in the latest release and is assigned CVE-2019-6996.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 10.6 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Validate SAML Response in Group SAML SSO

In preparation for enhanced group SAML SSO support in GitLab.com, additional validations were added to the group SAML implementation to validate that an SSO request was initiated from GitLab.com. This will ensure that a malicious user is unable to trick users into linking their account to a malicious IdP.

Versions Affected

Affects GitLab EE 10.8 and later.

Remediation

This enhancement currently applies only to GitLab.com

Updated: 2019-02-07

Pipelines section is available to unauthorized users

The GitLab pipelines feature was vulnerable to authorization issues that allowed unauthorized users to view job information. The issue is now mitigated in the latest release and is assigned CVE-2019-7549.

Thanks to Sullivan Senechal, @xanbanx, and @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.1 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Updating

To update, check out our update page.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab for Free

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.