Jul 3, 2019 - Costel Maxim

GitLab Security Release: 12.0.3, 11.11.5, and 11.10.8

Learn more about GitLab Security Release: 12.0.3, 11.11.5, and 11.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Today we are releasing versions 12.0.3, 11.11.5, and 11.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

Ability to Write a Note to a Private Snippet

GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. The issue is now mitigated in the latest release and is assigned CVE-2019-13001.

Thanks to @executor for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.9 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Recent Pipeline Information Disclosed to Unauthorised Users

Unauthorised users were able to read pipeline information of the last merge request. The issue is now mitigated in the latest release and is assigned CVE-2019-13002.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.10 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Resource Exhaustion Attack

One of the parsers used by Gitlab CI was vulnerable to a resource exhaustion attack. The issue is now mitigated in the latest release and is assigned CVE-2019-13003.

Thanks to @leipert for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Error Caused by Encoded Characters in Comments

When specific encoded characters were added to comments, the comments section would become inaccessible. The issue is now mitigated in the latest release and is assigned CVE-2019-13004.

Thanks to @newbiemole for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.1 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Authorization Issues in GraphQL

The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. The issue is now mitigated in the latest release and is assigned CVE-2019-13005.

Thanks to @rpadovani and @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.10 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Number of Merge Requests was Accessible

Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. The issue is now mitigated in the latest release and is assigned CVE-2019-13006.

Thanks to @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 9.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Enabling One of the Service Templates Could Cause Resource Depletion

When an admin enabled one of the service templates, it was triggering an action that leads to resource depletion. The issue is now mitigated in the latest release and is assigned CVE-2019-13007.

Versions Affected

Affects GitLab CE/EE 11.11 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Broken Access Control for the Content of Personal Snippets

Uploaded files associated with unsaved personal snippets were accessible to unauthorized users due to improper permission settings. The issue is now mitigated in the latest release and is assigned CVE-2019-13009.

Thanks to @mkozono for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 9.2 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible

Decoding Color Codes Caused Resource Depletion

The color codes decoder was vulnerable to a resource depletion attack if specific formats were used. The issue is now mitigated in the latest release and is assigned CVE-2019-13010.

Thanks to @8ayac for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.3 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible

Merge Request Template Name Disclosure

By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. The issue is now mitigated in the latest release and is assigned CVE-2019-13011.

Thanks to @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 8.11.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible

SSRF Vulnerability in Project GitHub Integration

The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local network resources. The issue is now mitigated in the latest release and is assigned CVE-CVE-2019-13121.

Thanks to @ngalog for responsibly reporting this vulnerability to us.