Jul 29, 2019 - Jeremy Matos  

GitLab Security Release: 12.1.2, 12.0.4, and 11.11.7

Today we are releasing versions 12.1.2, 12.0.4, and 11.11.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

GitHub Integration SSRF

An input validation problem was discovered in the GitHub service integration which could result in an attacker being able to make arbitrary POST requests in a GitLab instance's internal network. The issue is now mitigated in the latest release and is assigned CVE-2019-5461.

Thanks to @jobert for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.6 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Trigger Token Impersonation

An authorization issue was discovered when trigger tokens are not rotated once ownership of them has changed. The issue is now mitigated in the latest release and is assigned CVE-2019-5462.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 9.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Build Status Disclosure

An authorization issue was discovered in the CI badge images endpoint which could result in disclosure of the build status. The issue is now mitigated in the latest release and is assigned CVE-2019-5463.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects all previous GitLab CE/EE versions.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

SSRF Mitigation Bypass

A flawed DNS rebinding protection issue was discovered in url_blocker.rb which could result in SSRF where the library is utilized. The issue is now mitigated in the latest release and is assigned CVE-2019-5464.

Thanks to @mclaren650sspider for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.2 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Information Disclosure New Issue ID

An authorization issue was discovered in the move issue feature which could result in disclosure of the newly created issue ID. The issue is now mitigated in the latest release and is assigned CVE-2019-5465.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.14 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

IDOR Label Name Enumeration

An IDOR was discovered in the new merge requests endpoint which could result in disclosure of label names. The issue is now mitigated in the latest release and is assigned CVE-2019-5466.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.5 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Persistent XSS Wiki Pages

An input validation and output encoding issue was discovered in the wiki pages feature which could result in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2019-5467.

Thanks to @ryhmnlfj for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.10 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

User Revokation Bypass with Mattermost Integration

An authorization issue was discovered when Mattermost slash commands are used with a blocked account. The issue is now mitigated in the latest release and is assigned CVE-2019-5468.

Thanks to @logan5 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.14 command service and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Arbitrary File Upload via Import Project Archive

A file upload issue was discovered when importing a project archive. The issue is now mitigated in the latest release and is assigned CVE-2019-5469.

Thanks to @ajxchapman for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.5 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Information Disclosure Vulnerability Feedback

An authorization issue was discovered in the security dashboard which could result in disclosure of vulnerability feedback information. The issue is now mitigated in the latest release and is assigned CVE-2019-5470.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.8 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Persistent XSS via Email

An input validation and output encoding issue was discovered in the email notification feature which could result in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2019-5471.

Thanks to @mario-areias for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 8.9 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Denial Of Service Epic Comments

An authorization issue was discovered that forbid to delete epic comments. The issue is now mitigated in the latest release and is assigned CVE-2019-5472.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects all previous GitLab EE 10.7 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Email Verification Bypass

An authentication issue was discovered that allowed to bypass email verification. The issue is now mitigated in the latest release and is assigned CVE-2019-5473.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 12.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Override Merge Request Approval Rules

An authorization issue was discovered in the merge request approval rules. The issue is now mitigated in the latest release and is assigned CVE-2019-5474.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 11.8 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Disclosure of Pipeline Details

Details of restricted pipelines were visible via the merge request endpoint. The issue is now mitigated in the latest release and is waiting for a CVE id to be assigned.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 11.8 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab for Free

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg