Multiple vulnerabilities in GitLab Community and Enterprise Edition



Published: 2019-11-28 | Updated: 2019-12-03
Severity Medium
Patch available YES
Number of vulnerabilities 18
CVE ID CVE-2019-18460
CVE-2019-18452
CVE-2019-18451
CVE-2019-18450
CVE-2019-18448
CVE-2019-18455
CVE-2019-18457
CVE-2019-18458
CVE-2019-18454
CVE-2019-18459
CVE-2019-18461
CVE-2019-18463
CVE-2019-18462
CVE-2019-18449
CVE-2019-18447
CVE-2019-18446
CVE-2019-18453
CVE-2019-18456
CWE ID CWE-200
CWE-732
CWE-601
CWE-835
CWE-285
CWE-79
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Gitlab Community Edition
Universal components / Libraries / Software for developers

GitLab Enterprise Edition
Universal components / Libraries / Software for developers

Vendor GitLab, Inc

Security Advisory

Updated 28.11.2019
Added vulnerabilities #2-5
Updated 03.12.2019
Added vulnerabilities #6-18

1) Information disclosure

Severity: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18460

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper access control in the Comments Search feature provided by the Elasticsearch integration. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 8.8.3, 8.8.4, 8.8.5, 8.8.6, 8.8.7, 8.8.8, 8.8.9, 8.9, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.9.4, 8.9.5, 8.9.6, 8.9.7, 8.9.8, 8.9.9, 8.9.10, 8.9.11, 8.10, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 8.10.4, 8.10.5, 8.10.6, 8.10.7, 8.10.8, 8.10.9, 8.10.10, 8.10.11, 8.10.12, 8.10.13, 8.11, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 8.11.4, 8.11.5, 8.11.6, 8.11.7, 8.11.8, 8.11.9, 8.11.10, 8.11.11, 8.12, 8.12.0, 8.12.1, 8.12.2, 8.12.3, 8.12.4, 8.12.5, 8.12.6, 8.12.7, 8.12.8, 8.12.9, 8.12.10, 8.12.11, 8.12.12, 8.12.13, 8.13, 8.13.0, 8.13.1, 8.13.2, 8.13.3, 8.13.4, 8.13.5, 8.13.6, 8.13.7, 8.13.8, 8.13.9, 8.13.10, 8.13.11, 8.13.12, 8.14, 8.14.0, 8.14.1, 8.14.2, 8.14.3, 8.14.4, 8.14.5, 8.14.6, 8.14.7, 8.14.8, 8.14.9, 8.14.10, 8.15, 8.15.0, 8.15.1, 8.15.2, 8.15.3, 8.15.4, 8.15.5, 8.15.6, 8.15.7, 8.15.8, 8.16.0, 8.16.1, 8.16.2, 8.16.3, 8.16.4, 8.16.5, 8.16.6, 8.16.7, 8.16.8, 8.16.9, 8.17, 8.17.0, 8.17.1, 8.17.2, 8.17.3, 8.17.4, 8.17.5, 8.17.6, 8.17.7, 8.17.8, 9.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.1, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.2, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.2.10, 9.3, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9, 9.3.10, 9.3.11, 9.4, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.5, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 9.55, 10.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.1, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7, 10.2, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.5, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 10.8.7, 11.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.2, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.12, 11.3.13, 11.3.14, 11.4, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.4.13, 11.4.14, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 8.8.3, 8.8.4, 8.8.5, 8.8.6, 8.8.7, 8.8.8, 8.8.9, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.9.4, 8.9.5, 8.9.6, 8.9.7, 8.9.8, 8.9.9, 8.9.10, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 8.10.4, 8.10.5, 8.10.6, 8.10.7, 8.10.8, 8.10.9, 8.10.10, 8.10.11, 8.10.12, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 8.11.4, 8.11.5, 8.11.6, 8.11.7, 8.11.8, 8.11.9, 8.11.10, 8.11.11, 8.12.0, 8.12.1, 8.12.2, 8.12.3, 8.12.4, 8.12.5, 8.12.6, 8.12.7, 8.12.8, 8.12.9, 8.12.10, 8.12.11, 8.12.12, 8.13.0, 8.13.1, 8.13.2, 8.13.3, 8.13.4, 8.13.5, 8.13.6, 8.13.7, 8.13.8, 8.13.9, 8.13.10, 8.13.11, 8.13.12, 8.14.0, 8.14.1, 8.14.2, 8.14.3, 8.14.4, 8.14.5, 8.14.6, 8.14.7, 8.14.8, 8.14.9, 8.14.10, 8.15.0, 8.15.1, 8.15.2, 8.15.3, 8.15.4, 8.15.5, 8.15.6, 8.15.7, 8.15.8, 8.16.0, 8.16.1, 8.16.2, 8.16.3, 8.16.4, 8.16.5, 8.16.6, 8.16.7, 8.16.8, 8.16.9, 8.17.0, 8.17.1, 8.17.2, 8.17.3, 8.17.4, 8.17.5, 8.17.6, 8.17.7, 8.17.8, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.2.10, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9, 9.3.10, 9.3.11, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.7, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Incorrect permission assignment for critical resource

Severity: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18452

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The vulnerability exists due to insecure permissions when moving an issue to a public project from a private one. A remote attacker can disclose the associated private labels and the private project namespace through the GitLab API.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.3, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.12, 11.3.13, 11.3.14, 11.4, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.4.13, 11.4.14, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Open redirect

Severity: Medium

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18451

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data in the InternalRedirect filtering feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 10.8.7, 11.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.2, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.12, 11.3.13, 11.3.14, 11.4, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.4.13, 11.4.14, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Incorrect permission assignment for critical resource

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18450

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The vulnerability exists due to insecure permissions in the Project labels feature. A remote authenticated attacker can disclose the project labels through the GitLab API.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

Severity: Medium

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18448

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper access restrictions. A remote authenticated attacker can perform brute-force attack and check if a private repository exists.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Infinite loop

Severity: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18455

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when building Nested GraphQL queries. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.2, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.12, 11.3.13, 11.3.14, 11.4, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.4.13, 11.4.14, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper Authorization

Severity: Low

CVSSv3: 4.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18457

CWE-ID: CWE-285 - Improper Authorization

Description

The vulnerability allows an attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks in the Sentry tokens handling. A demoted user can gain access to the affected system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper Authorization

Severity: Low

CVSSv3: 3.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18458

CWE-ID: CWE-285 - Improper Authorization

Description

The vulnerability allows an attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks for transfer projects to another group feature. A remote user with developer rights can move projects.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 10.8.7, 11.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.2, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.12, 11.3.13, 11.3.14, 11.4, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.4.13, 11.4.14, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Stored cross-site scripting

Severity: Low

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18454

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in link validation for RDoc wiki pages feature. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 10.8.7, 11.0, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.2, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.12, 11.3.13, 11.3.14, 11.4, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.4.13, 11.4.14, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper Authorization

Severity: Medium

CVSSv3: 4.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18459

CWE-ID: CWE-285 - Improper Authorization

Description

The vulnerability allows an attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks in the protected environments feature. A remote attacker can gain access to protected environments even after removal.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.12, 11.3.13, 11.3.14, 11.4, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.4.13, 11.4.14, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0

GitLab Enterprise Edition: 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper access control

Severity: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18461

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions. A remote attacker can disclose the private sub group path when a sub group epic is added to a public group.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Information disclosure

Severity: Medium

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18463

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure permissions. A remote unauthorised user can list the packages of a group.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Information disclosure

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18462

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure permissions. A remote unauthorised user can confirm the name of a private repository.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GitLab Enterprise Edition: 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

Gitlab Community Edition: 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Information disclosure

Severity: Medium

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18449

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure permissions in the autocomplete feature. A remote unauthorised user can read private groups membership.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Incorrect permission assignment for critical resource

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18447

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The vulnerability exists due to insecure permissions. A remote authenticated attacker can view the members of a private group.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Incorrect permission assignment for critical resource

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18446

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

Description

The vulnerability allows a remote attacker to gain access to otherwise restricted functionality.

The vulnerability exists due to insecure permissions. A remote authenticated attacker can delete the source branch of MR.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GitLab Enterprise Edition: 8.15.0, 8.15.1, 8.15.2, 8.15.3, 8.15.4, 8.15.5, 8.15.6, 8.15.7, 8.15.8, 8.16.0, 8.16.1, 8.16.2, 8.16.3, 8.16.4, 8.16.5, 8.16.6, 8.16.7, 8.16.8, 8.16.9, 8.17.0, 8.17.1, 8.17.2, 8.17.3, 8.17.4, 8.17.5, 8.17.6, 8.17.7, 8.17.8, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.2.10, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9, 9.3.10, 9.3.11, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.7, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

Gitlab Community Edition: 8.15.0, 8.15.1, 8.15.2, 8.15.3, 8.15.4, 8.15.5, 8.15.6, 8.15.7, 8.15.8, 8.16.0, 8.16.1, 8.16.2, 8.16.3, 8.16.4, 8.16.5, 8.16.6, 8.16.7, 8.16.8, 8.16.9, 8.17, 8.17.0, 8.17.1, 8.17.2, 8.17.3, 8.17.4, 8.17.5, 8.17.6, 8.17.7, 8.17.8, 9.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.1, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.2, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.2.10, 9.3, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9, 9.3.10, 9.3.11, 9.4, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.5, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 9.55, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.1, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7, 10.2, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.5, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 10.8.7, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.1.8, 11.2, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.12, 11.3.13, 11.3.14, 11.4, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.4.10, 11.4.11, 11.4.12, 11.4.13, 11.4.14, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper access control

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18453

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote demoted user can bypass implemented security restrictions and add comments via email.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.7, 12.3.8, 12.4.0

GitLab Enterprise Edition: 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Information disclosure

Severity: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-18456

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure permissions in the Search feature provided by Elasticsearch integration. A remote attacker can disclose private comments in restricted groups.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GitLab Enterprise Edition: 8.17.0, 8.17.1, 8.17.2, 8.17.3, 8.17.4, 8.17.5, 8.17.6, 8.17.7, 8.17.8, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.1.10, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.2.10, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9, 9.3.10, 9.3.11, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.4.7, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.7, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.7.6, 10.7.7, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.1.7, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.2.8, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.3.8, 11.3.9, 11.3.10, 11.3.11, 11.3.13, 11.3.14, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 11.4.9, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.4.0, 12.4.1

CPE External links

https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/
https://about.gitlab.com/blog/categories/releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.