SB2019090918 - Multiple vulnerabilities in GitLab, Gitlab Community Edition
Published: September 9, 2019 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2019-11545)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An issue was discovered in GitLab Community Edition 11.9.x before 11.9.10 and 11.10.x before 11.10.2. It allows Information Disclosure. When an issue is moved to a private project, the private project namespace is leaked to unauthorized users with access to the original issue.
2) Race condition (CVE-ID: CVE-2019-11546)
The vulnerability allows a remote authenticated user to manipulate data.
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has a Race Condition which could allow users to approve a merge request multiple times and potentially reach the approval count required to merge.
3) Cross-site scripting (CVE-ID: CVE-2019-11547)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially lead to XSS issues.
4) Information disclosure (CVE-ID: CVE-2019-11549)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. Gitaly has allows an information disclosure issue where HTTP/GIT credentials are included in logs on connection errors.
Remediation
Install update from vendor's website.