Aug 29, 2019 - Andrew Kelly  

GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8

Today we are releasing versions 12.2.3, 12.1.8, and 12.0.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

Kubernetes Integration Server-Side Request Forgery

An internal review determined that the protections against SSRF attacks on the Kubernetes integration are insufficient, which could have allowed an attacker to request any local network resource accessible from the GitLab server. The issue is now mitigated in the latest release and is assigned CVE-2019-15728.

Versions Affected

Affects GitLab CE/EE 10.1 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Server-Side Request Forgery in Jira Integration

An internal review determined that the Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack, which would allow sending requests to any resources accessible in the local network by the GitLab server. The issue is now mitigated in the latest release and is assigned CVE-2019-15730.

Versions Affected

Affects GitLab CE/EE 8.14 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Improved Protection Against Credential Stuffing Attacks

A reCaptcha challenge will be required after certain failed login attempt conditions are met. This feature is disabled by default and can be enabled through Admin Area > Settings > Reporting > Enable reCAPTCHA for login.

Versions Affected

Affects all previous GitLab CE/EE versions.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Markdown Clientside Resource Exhaustion

Particular mathematic expressions in GitLab Markdown can exhaust client resources. The issue is now mitigated in the latest release and is assigned CVE-2019-15722.

Please note that Merge Requests, Issues, Wiki Pages, and other areas with GitLab Markdown containing lots of math formulae or long formulae may need to be split up.

Thanks to @abdilahrf_ for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.15 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Pipeline Status Disclosure

An internal endpoint unintentionally disclosed information about the last pipeline ran for a merge request. The issue is now mitigated in the latest release and is assigned CVE-2019-15729.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 9.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Group Runner Authorization Issue

An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings. The issue is now mitigated in the latest release and is assigned CVE-2019-15721.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 10.8 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

CI Metrics Disclosure

Insufficient permission checks were being applied when displaying CI results, potentially exposing some CI metrics data to unauthorized users. The issue is now mitigated in the latest release and is assigned CVE-2019-15727.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.2 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

User IP Disclosed by Embedded Image and Media

Embedded images and media files in markdown could be pointed to an arbitrary server, which would reveal the IP address of clients requesting the file from that server. This issue can be mitigated by enabling an asset proxy and is assigned CVE-2019-15726.

Thanks to @iframe for responsibly reporting this vulnerability to us.

Versions Affected

Affects all previous GitLab CE/EE versions.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Label Description HTML Injection

Label descriptions were found to be vulnerable to HTML injection. The issue is now mitigated in the latest release and is assigned CVE-2019-15724.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.10 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

IDOR in Epic Notes API

An IDOR was discovered in the epic notes API which could result in disclosure of private milestones, labels, and other information. The issue is now mitigated in the latest release and is assigned CVE-2019-15725.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Push Rule Bypass

A vulnerability that allowed users to bypass the push rules of a project had been indirectly fixed in a previous GitLab release. This version improves the fix to make it more robust. The issue is now mitigated in the latest release and is assigned CVE-2019-15723.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE versions 11.9.4-11.10.0. Please note that this was already fixed in 11.10.1.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Project Visibility Restriction Bypass

It was discovered that the project import API could be used to bypass project visibility restrictions. The issue is now mitigated in the latest release and is assigned CVE-2019-15732.

Thanks to @logan5 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.2 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Merge Request Discussion Restriction Bypass

It was discovered that non-members were able to comment on merge requests despite the repository being set to allow only project members to do so. The issue is now mitigated in the latest release and is assigned CVE-2019-15731.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Disclosure of Merge Request IDs

An internal review determined that under certain conditions, merge request IDs were being disclosed via email. The issue is now mitigated in the latest release and is assigned CVE-2019-15738.

Versions Affected

Affects GitLab CE/EE 12.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Weak Authentication In Certain Account Actions

It was discovered that certain account actions needed improved authentication and session management. The issue is now mitigated in the latest release and is assigned CVE-2019-15737.

Thanks to Sajibe Kanti for responsibly reporting this vulnerability to us.

Versions Affected

Affects all previous GitLab CE/EE versions.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Disclosure of Commit Title and Comments

Under very specific conditions, commit titles and team member comments could become viewable to users that did not have permission to do so. The issue is now mitigated in the latest release and is assigned CVE-2019-15734.

Thanks to @brijeshshah13 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.6 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Stored XSS via Markdown

It was discovered that certain areas displaying Markdown were not properly sanitizing some cross site scripting payloads. The issue is now mitigated in the latest release and is assigned CVE-2019-15739.

Thanks to @samuelmortenson for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.1 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

EXIF Geolocation Data Exposure

EXIF Geolocation data was not being removed from certain image uploads. The issue is now mitigated in the latest release and is assigned CVE-2019-15740.

Please note that when upgrading a GitLab instance, the following rake task should be run: rake gitlab:uploads:sanitize:remove_exif[,,false,0,PersonalFileUploader,2019-01-01]

Thanks to @jack898 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 7.9 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Multiple SSRF Regressions on Gitaly

Two previous Gitaly SSRF fixes were mistakenly not included in GitLab 12.2. The issue is now mitigated in the latest release and will be assigned a CVE ID shortly.

Versions Affected

Affects GitLab CE/EE 12.2.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Default Branch Name Exposure

It was discovered that the specified default branch name could be exposed to unauthorised users. The issue is now mitigated in the latest release and is assigned CVE-2019-15733.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 7.12 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Potential Denial of Service via CI Pipelines

Under certain circumstances, CI pipelines could potentially be used in a denial of service attack. The issue is now mitigated in the latest release and is assigned CVE-2019-15736.

Versions Affected

Affects all previous GitLab CE/EE versions.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Privilege Escalation via Logrotate

It was discovered that an unsafe interaction with logrotate could result in a privilege escalation. The issue is now mitigated in the latest release and is assigned CVE-2019-15741.

Thanks to @petee for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab Omnibus 7.4 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Disclosure of Merge Request ID via Timeline Activities

A Guest user in a private project could see the merge request ID associated to an issue via the activity timeline. The issue is now mitigated in the latest release and is waiting for a CVE id to be assigned.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Denial of Service via Issue Comments

A Denial of Service was possible when posting in an issue a comment of arbitrary length. The issue is now mitigated in the latest release and is waiting for a CVE id to be assigned.

Thanks to 8ayac for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab 9.3.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab for Free

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg