SB2018100315 - Multiple vulnerabilities in GitLab, Gitlab Community Edition
Published: October 3, 2018 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2018-16048)
The vulnerability allows a remote authenticated user to manipulate data.
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage.
2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2018-16049)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Sensitive Data Disclosure in Sidekiq Logs through an Error Message.
3) Cross-site scripting (CVE-ID: CVE-2018-16050)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.5 and 11.2.x before 11.2.2. There is Persistent XSS in the Merge Request Changes View.
4) Information disclosure (CVE-ID: CVE-2018-16051)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Orphaned Upload Files Exposure.
Remediation
Install update from vendor's website.
References
- https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
- https://gitlab.com/gitlab-org/gitlab-ce/issues/49947
- https://gitlab.com/gitlab-org/gitlab-ce/issues/46967
- https://gitlab.com/gitlab-org/gitlab-ce/issues/49272
- https://gitlab.com/gitlab-org/gitlab-ce/issues/49085
- https://gitlab.com/gitlab-org/gitlab-ee/issues/6012