SB2019041720 - Multiple vulnerabilities in GitLab, Gitlab Community Edition
Published: April 17, 2019 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2019-9221)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
2) Improper access control (CVE-ID: CVE-2019-9732)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
3) Improper access control (CVE-ID: CVE-2019-9218)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
4) Improper access control (CVE-ID: CVE-2019-9170)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
5) Information disclosure (CVE-ID: CVE-2019-9171)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 1 of 5).
6) Information disclosure (CVE-ID: CVE-2019-9172)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 2 of 5).
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-9174)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows SSRF.
8) Information disclosure (CVE-ID: CVE-2019-9175)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 3 of 5).
9) Cross-site request forgery (CVE-ID: CVE-2019-9176)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
10) Information disclosure (CVE-ID: CVE-2019-9178)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 4 of 5).
11) Information disclosure (CVE-ID: CVE-2019-9179)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 5 of 5).
12) Security Features (CVE-ID: CVE-2019-9217)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. Its User Interface has a Misrepresentation of Critical Information.
13) Improper access control (CVE-ID: CVE-2019-9219)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
14) Resource management error (CVE-ID: CVE-2019-9220)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Uncontrolled Resource Consumption.
15) Path traversal (CVE-ID: CVE-2019-9222)
The vulnerability allows a remote authenticated user to #BASIC_IMPACT#.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
16) Information disclosure (CVE-ID: CVE-2019-9223)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure.
17) Improper access control (CVE-ID: CVE-2019-9224)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
18) Improper access control (CVE-ID: CVE-2019-9225)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
19) Improper access control (CVE-ID: CVE-2019-9756)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.
Remediation
Install update from vendor's website.
References
- https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/
- https://about.gitlab.com/blog/categories/releases/
- https://about.gitlab.com/2019/03/14/gitlab-11-8-2-released/
- https://gitlab.com/gitlab-org/gitlab-ce/issues/51971
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54635
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54795
- https://gitlab.com/gitlab-org/gitlab-ce/issues/55468
- https://gitlab.com/gitlab-org/gitlab-ce/issues/52524
- https://gitlab.com/gitlab-org/gitlab-ce/issues/55664
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54803
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54783
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54159
- https://gitlab.com/gitlab-org/gitlab-ce/issues/55653
- https://gitlab.com/gitlab-org/gitlab-ce/issues/56348
- https://gitlab.com/gitlab-org/gitlab-ce/issues/50334
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54789
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54680
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54243