GitLab Commit Virtual is here. Register Now for our 24 hour immersive DevOps experience.
Jan 2, 2020 - Vitor Meireles De Sousa  

GitLab Security Release: 12.6.2, 12.5.6, and 12.4.7

Learn more about GitLab Security Release: 12.6.2, 12.5.6, and 12.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Today we are releasing versions 12.6.2, 12.5.6, and 12.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes that were inadvertently not included in our most recent security release. We strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

Group Maintainers Can Update/Delete Group Runners Using API

Insufficient access verification lead to unauthorized modification of group runners through the API. This issue is now mitigated in the latest release and is assigned CVE-2019-20144.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 10.8 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

GraphQL Queries Can Hang the Application

Certain GraphQL queries can hang the application due to some server's missing parameters in handling time consuming queries. This issue is now mitigated in the latest release and is assigned CVE-2019-20146.

Thanks the GitLab team for finding and reporting this issue.

Versions Affected

Affects GitLab EE/CE 11.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Unauthorized Users Have Access to Milestones of Releases

Under certain circumstances, an unauthenticated user can access a release's milestone and issues. This issue is now mitigated in the latest release and is assigned CVE-2019-20143.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 12.6.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Private Group Name Revealed Through Protected Tags API

When a group is removed from a project membership, it was possible for group members to see project namespace changes through the Protected Tags API. This issue is now mitigated in the latest release and is assigned CVE-2019-20147.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 9.1 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Users Can Publish Reviews on Locked Merge Requests

When a merge request was locked, a user was still able to submit a drafted review and publish. This issue is now mitigated in the latest release and is assigned CVE-2019-20145.

Thanks @rafiem for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.4 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

DoS in the Issue and Commit Comments Pages

While adding a comment in the Issue and Commit pages, a malicious user can cause HTTP 500 code when sending a special message. This issue is now mitigated in the latest release and is assigned CVE-2019-20142.

Thanks @dfens for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.3 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

When an unauthenticated user visits an unsubscribe link, a private project name can be disclosed under certain conditions. This issue is now mitigated in the latest release and is assigned CVE-2019-20148.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 8.13 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Private Project Name Disclosed Through Notification Settings

Under specific conditions an user can view the name of a private project through the notifications settings. This issue is now mitigated in the latest release and is assigned CVE-2020-5197.

Thanks @iframe for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 5.1 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive security release blog notifications via RSS, subscribe to our RSS feed.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab for Free
GIT is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg