Multiple vulnerabilities in GitLab Community and Enterprise Edition



Published: 2019-11-28 | Updated: 2019-12-03
Risk Medium
Patch available YES
Number of vulnerabilities 18
CVE-ID CVE-2019-18460
CVE-2019-18452
CVE-2019-18451
CVE-2019-18450
CVE-2019-18448
CVE-2019-18455
CVE-2019-18457
CVE-2019-18458
CVE-2019-18454
CVE-2019-18459
CVE-2019-18461
CVE-2019-18463
CVE-2019-18462
CVE-2019-18449
CVE-2019-18447
CVE-2019-18446
CVE-2019-18453
CVE-2019-18456
CWE-ID CWE-200
CWE-732
CWE-601
CWE-835
CWE-285
CWE-79
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Gitlab Community Edition
Universal components / Libraries / Software for developers

GitLab Enterprise Edition
Universal components / Libraries / Software for developers

Vendor GitLab, Inc

Security Bulletin

This security bulletin contains information about 18 vulnerabilities.

Updated 28.11.2019
Added vulnerabilities #2-5
Updated 03.12.2019
Added vulnerabilities #6-18

1) Information disclosure

EUVDB-ID: #VU23075

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18460

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper access control in the Comments Search feature provided by the Elasticsearch integration. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 8.8.3 - 12.4.0

GitLab Enterprise Edition: 8.8.3 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Incorrect permission assignment for critical resource

EUVDB-ID: #VU23081

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18452

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The vulnerability exists due to insecure permissions when moving an issue to a public project from a private one. A remote attacker can disclose the associated private labels and the private project namespace through the GitLab API.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.3 - 12.4.0

GitLab Enterprise Edition: 11.3.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Open redirect

EUVDB-ID: #VU23080

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18451

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data in the InternalRedirect filtering feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 10.7.4 - 12.4.0

GitLab Enterprise Edition: 10.7.4 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Incorrect permission assignment for critical resource

EUVDB-ID: #VU23079

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18450

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The vulnerability exists due to insecure permissions in the Project labels feature. A remote authenticated attacker can disclose the project labels through the GitLab API.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0 - 12.4.0

GitLab Enterprise Edition: 12.0.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU23078

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18448

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper access restrictions. A remote authenticated attacker can perform brute-force attack and check if a private repository exists.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0 - 12.4.0

GitLab Enterprise Edition: 12.0.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Infinite loop

EUVDB-ID: #VU23355

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18455

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when building Nested GraphQL queries. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.0 - 12.4.0

GitLab Enterprise Edition: 11.0.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper Authorization

EUVDB-ID: #VU23354

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18457

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: No

Description

The vulnerability allows an attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks in the Sentry tokens handling. A demoted user can gain access to the affected system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.8.0 - 12.4.0

GitLab Enterprise Edition: 11.8.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper Authorization

EUVDB-ID: #VU23353

Risk: Low

CVSSv3.1: 3.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18458

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: No

Description

The vulnerability allows an attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks for transfer projects to another group feature. A remote user with developer rights can move projects.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 10.5.0 - 12.4.0

GitLab Enterprise Edition: 10.5.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Stored cross-site scripting

EUVDB-ID: #VU23352

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18454

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in link validation for RDoc wiki pages feature. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 10.5.0 - 12.4.0

GitLab Enterprise Edition: 10.5.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper Authorization

EUVDB-ID: #VU23351

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18459

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: No

Description

The vulnerability allows an attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks in the protected environments feature. A remote attacker can gain access to protected environments even after removal.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.3.0 - 12.3.0

GitLab Enterprise Edition: 11.3.0 - 12.3.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper access control

EUVDB-ID: #VU23350

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18461

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions. A remote attacker can disclose the private sub group path when a sub group epic is added to a public group.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0 - 12.4.0

GitLab Enterprise Edition: 12.0.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Information disclosure

EUVDB-ID: #VU23349

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18463

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure permissions. A remote unauthorised user can list the packages of a group.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0 - 12.4.0

GitLab Enterprise Edition: 12.0.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Information disclosure

EUVDB-ID: #VU23348

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18462

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure permissions. A remote unauthorised user can confirm the name of a private repository.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GitLab Enterprise Edition: 12.2.0 - 12.4.0

Gitlab Community Edition: 12.2.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Information disclosure

EUVDB-ID: #VU23347

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18449

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure permissions in the autocomplete feature. A remote unauthorised user can read private groups membership.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0 - 12.4.0

GitLab Enterprise Edition: 12.0.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Incorrect permission assignment for critical resource

EUVDB-ID: #VU23096

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18447

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The vulnerability exists due to insecure permissions. A remote authenticated attacker can view the members of a private group.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0 - 12.4.0

GitLab Enterprise Edition: 12.0.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Incorrect permission assignment for critical resource

EUVDB-ID: #VU23095

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18446

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to otherwise restricted functionality.

The vulnerability exists due to insecure permissions. A remote authenticated attacker can delete the source branch of MR.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GitLab Enterprise Edition: 8.15.0 - 12.4.0

Gitlab Community Edition: 8.15.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper access control

EUVDB-ID: #VU23092

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18453

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote demoted user can bypass implemented security restrictions and add comments via email.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.6.0 - 12.4.0

GitLab Enterprise Edition: 11.6.0 - 12.4.0

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Information disclosure

EUVDB-ID: #VU23184

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18456

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure permissions in the Search feature provided by Elasticsearch integration. A remote attacker can disclose private comments in restricted groups.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GitLab Enterprise Edition: 8.17.0 - 12.4.1

External links

http://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
http://about.gitlab.com/blog/categories/releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###