SB2018120514 - Multiple vulnerabilities in GitLab, Gitlab Community Edition

Description

This security bulletin contains information about 3 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2018-17939)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the merge request JSON endpoint.

2) Information disclosure (CVE-ID: CVE-2018-17975)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the GFM markdown API.

3) Information disclosure (CVE-ID: CVE-2018-17976)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via Epic change descriptions.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/2018/10/05/critical-security-release-11-3-4/
• https://gitlab.com/gitlab-org/gitlab-ce/issues/51956
• https://gitlab.com/gitlab-org/gitlab-ce/issues/50744
• https://gitlab.com/gitlab-org/gitlab-ce/issues/51581