SB2018040513 - Multiple vulnerabilities in GitLab, Gitlab Community Edition

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2018-9243)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.

2) Cross-site scripting (CVE-ID: CVE-2018-9244)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable to XSS because a lack of input validation in the milestones component leads to cross site scripting (specifically, data-milestone-id in the milestone dropdown feature). This is fixed in 10.6.3, 10.5.7, and 10.4.7.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
• https://gitlab.com/gitlab-org/gitlab-ce/issues/42028
• https://gitlab.com/gitlab-org/gitlab-ce/issues/41838