SB2019121832 - Multiple vulnerabilities in GitLab, Gitlab Community Edition
Published: December 18, 2019 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2019-15578)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.
2) Information disclosure (CVE-ID: CVE-2019-15579)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones.
3) Authorization bypass through user-controlled key (CVE-ID: CVE-2019-15581)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.
4) Information disclosure (CVE-ID: CVE-2019-15582)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.
5) Information disclosure (CVE-ID: CVE-2019-15583)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API.
6) Improper Authentication (CVE-ID: CVE-2019-15585)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
7) Resource exhaustion (CVE-ID: CVE-2019-15584)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
A denial of service exists in gitlab <v12.3.2, <v12.2.6, and <v12.1.10 that would let an attacker bypass input validation in markdown fields take down the affected page.
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope.
9) Information disclosure (CVE-ID: CVE-2019-15576)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint.
10) Information disclosure (CVE-ID: CVE-2019-15577)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing.
11) Information disclosure (CVE-ID: CVE-2019-15580)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted.
12) Improper Authentication (CVE-ID: CVE-2019-5486)
The vulnerability allows a remote authenticated user to execute arbitrary code.
A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements.
Remediation
Install update from vendor's website.
References
- https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/
- https://hackerone.com/reports/650574
- https://hackerone.com/reports/635516
- https://hackerone.com/reports/518995
- https://hackerone.com/reports/566216
- https://hackerone.com/reports/643854
- https://hackerone.com/reports/471323
- https://hackerone.com/reports/670572
- https://hackerone.com/reports/682442
- https://hackerone.com/reports/633001
- https://hackerone.com/reports/636560
- https://hackerone.com/reports/667408
- https://hackerone.com/reports/617896