SB2019051520 - Multiple vulnerabilities in GitLab, Gitlab Community Edition

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2019-10115)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The GitLab Releases feature could allow guest users access to private information like release details and code information.

2) Input validation error (CVE-ID: CVE-2019-10116)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Guests of a project were allowed to see Related Branches created for an issue.

3) Input validation error (CVE-ID: CVE-2019-10110)

The vulnerability allows a remote authenticated user to manipulate data.

An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The "move issue" feature may allow a user to create projects under any namespace on any GitLab instance on which they hold credentials.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
• https://about.gitlab.com/blog/categories/releases/
• https://gitlab.com/gitlab-org/gitlab-ce/issues/56402
• https://gitlab.com/gitlab-org/gitlab-ce/issues/56224
• https://gitlab.com/gitlab-org/gitlab-ce/issues/56865