SB2019051518 - Multiple vulnerabilities in GitLab, Gitlab Community Edition
Published: May 15, 2019 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Key management errors (CVE-ID: CVE-2019-10112)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The construction of the HMAC key was insecurely derived.
2) Resource exhaustion (CVE-ID: CVE-2019-10113)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Making concurrent GET /api/v4/projects/<id>/languages requests may allow Uncontrolled Resource Consumption.
3) Information disclosure (CVE-ID: CVE-2019-10114)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An Information Exposure issue (issue 2 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data.
4) Open redirect (CVE-ID: CVE-2019-10117)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An Open Redirect issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. A redirect is triggered after successful authentication within the Oauth/:GeoAuthController for the secondary Geo node.
5) Improper access control (CVE-ID: CVE-2019-10108)
The vulnerability allows a remote authenticated user to read and manipulate data.
An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allowed non-members of a private project/group to add and read labels.
6) Information disclosure (CVE-ID: CVE-2019-10109)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An Information Exposure issue (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. EXIF geolocation data were not removed from images when uploaded to GitLab. As a result, anyone with access to the uploaded image could obtain its geolocation, device, and software version data (if present).
7) Cross-site scripting (CVE-ID: CVE-2019-10111)
The vulnerability allows a remote authenticated user to read and manipulate data.
An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page.
Remediation
Install update from vendor's website.
References
- https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
- https://about.gitlab.com/blog/categories/releases/
- https://gitlab.com/gitlab-org/gitlab-ee/issues/9730
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54977
- https://gitlab.com/gitlab-org/gitlab-ee/issues/9729
- https://gitlab.com/gitlab-org/gitlab-ee/issues/9731
- https://gitlab.com/gitlab-org/gitlab-ce/issues/56985
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54220
- https://gitlab.com/gitlab-org/gitlab-ce/issues/55469
- https://gitlab.com/gitlab-org/gitlab-ce/issues/56927