GitLab Security Release: 13.0.1, 12.10.7, 12.9.8

Today we are releasing versions 13.0.1, 12.10.7, 12.9.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

User Email Verification Bypass

A security issue allowed users to bypass the email verification process. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks to @zapprising for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.5 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

OAuth Flow Missing Email Verification Checks

A vulnerability allowed unverified users to use OAuth authorization code flow, which could potentially affect third party applications that use GitLab as an identity provider. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks to @peet86 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.3+ and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Notification Email Verification Bypass

A vulnerability was identified that allowed users to set an unverified email address as notification email. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks to @rgupt for responsibly reporting this vulnerability to us.

Versions Affected

Affects all previous GitLab CE/EE versions.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Undisclosed Vulnerability on a Third-Party Rendering Engine

A yet-to-be disclosed security issue was detected on a third-party rendering engine which could impact misconfigured cloud environments. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks to @rhynorater and @nnwakelam for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 11.9 and later

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Group Sign-Up Restriction Bypass

A user with an unverified address within the restricted domain could request access to domain restricted groups. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks to @izzsec for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 12.2 and later

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Mirror Project Owner Impersonation

A security issue related to mirror project deletions could lead to the impersonation of its owner. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Please note that the edit project API endpoint has been restricted and only admin users have the ability to set the mirror_user_id

Thanks to @sky003 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 9.5 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Missing Permission Check on Fork Relation Creation

A missing security check allowed guest users to create a fork relation on restricted public projects. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.3 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Cross-Site Scripting in Repository Files API

Under certain conditions, requests involving the repository files API could result in an XSS vulnerability. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks @rpadovani for responsibly reporting this vulnerability to us.

Versions Affected

Affects all previous GitLab EE versions.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Kubernetes Cluster Token Disclosure

A security issue made the Kubernetes cluster token visible to other group maintainers. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE between 10.3 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Object Storage File Enumeration

A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks @ledz1996 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.10 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Insecure Authorization Check on Project Deploy Keys

An insecure authorization check allowed updating permissions of other users' deploy keys under certain conditions. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

This vulnerability has been discovered internally by the GitLab Security Team.

Versions Affected

Affects GitLab CE/EE 12.8 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Cross-Site Scripting on Metrics Dashboard

A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.8 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Denial of Service on Custom Dashboards

A security issue enabled denial of service attacks via memory exhaustion. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

This vulnerability was discovered internally by the GitLab team.

Versions Affected

Affects GitLab CE/EE 12.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Client-Side Code Injection through Mermaid Markup

A specially crafted Mermaid payload allowed performing PUT requests on behalf of other users when clicking on a link. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks @yvvdwf for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.9 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Cross-Site Scripting on Static Site Editor

A Reflected Cross-Site Scripting has been discovered on the Static Site Editor. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks @bull for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.10 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Disclosure of Amazon EKS Credentials

Amazon EKS Credentials were disclosed to other administrators of an instance through HTML source code. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.6 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Denial of Service on Workhorse

A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

This vulnerability has been discovered internally by the GitLab Team.

Versions Affected

Affects all previous GitLab CE/EE versions.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Update Ruby

Ruby upgrades to version 2.6.6 have been backported to previous versions of GitLab. This upgrade includes security fixes for CVE-2020-8130.

Versions Affected

Affects GitLab CE/EE 12.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive security release blog notifications via RSS, subscribe to our RSS feed.



from GitLab https://ift.tt/36AFBt9 #GitLab #DevSecOps

Comments

Post a Comment

Popular posts from this blog

Efficient DevSecOps workflows: Hands-on python-gitlab API automation

Image
A friend once said in a conference presentation, “Manual work is a bug." When there are repetitive tasks in workflows, I tend to come back to this quote , and try to automate as much as possible. For example, by querying a REST API to do an inventory of settings, or calling API actions to create new comments in GitLab issues/merge requests. The interaction with the GitLab REST API can be done in different ways, using HTTP requests with curl (or hurl ) on the command line, or by writing a script in a programming language. The latter can become reinventing the wheel again with raw HTTP requests code, and parsing the JSON responses. Thanks to the wider GitLab community, many different languages are supported by API abstraction libraries. They provide support for all API attributes, add helper functions to get/create/delete objects, and generally aim to help developers focus. The python-gitlab library is a feature-rich and easy-to-use library written in Python. In this blog post, y...
Read more

Secure GitLab CI/CD workflows using OIDC JWT on a DevSecOps platform

Image
Securing CI/CD workflows can be challenging. This blog post walks you through the problem validation, explores the JWT token technology and how it can be used with OIDC authentication, and discusses implementation challenges with authorization realms. You will learn about the current possibilities and future plans with GitLab 16.0. Variables vs. secrets Variables are an efficient way to control and inject parameters into your jobs and pipelines, making managing and configuring the CI/CD workflows easier. You can read more about how to use CI/CD variables . An extra layer of security on top of variables to mask and protect, for now, is our “best-effort” to prevent sensitive variables from being accidentally revealed. However, variables are not a drop-in replacement for secrets. Securing secrets natively is a solution that GitLab aspires to provide. Meanwhile, we recommend storing sensitive information in a dedicated secrets management solution. As a company, we will provide you abili...
Read more

GitLab 13.11 released with Kubernetes Agent and Pipeline Compliance

Image
On this Earth Day we are thinking about growth. Our customers are scaling their DevOps practices and with growth comes the need for even greater efficiencies and automated controls. The GitLab Kubernetes Agent is now available on GitLab.com to help you benefit from fast, pull-based deployments to your cluster, while GitLab.com manages the necessary server-side components of the Agent. Compliant Pipeline Configurations let you define enforceable pipelines that will run for any project assigned a corresponding compliance framework, even custom ones . We also have a host of features to improve pipeline efficiency and measurement, to provide On-call Scheduling , and even more security enhancements. These are just a few of the 50+ significant new features and improvements in this release. Controls to help you grow safely and efficiently Controls can keep your automation on track as you grow and scale while simplifying compliance efforts. The GitLab Kubernetes Agent is core to GitLab...
Read more