SB2020010501 - Multiple vulnerabilities in GitLab, Gitlab Community Edition

Description

This security bulletin contains information about 3 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2019-19312)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted request and gain unauthorized access to the affected application.

2) Input validation error (CVE-ID: CVE-2019-19313)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certain characters were making it impossible to create, edit, or view issues and commits.

3) Cleartext storage of sensitive information (CVE-ID: CVE-2019-19314)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
• https://about.gitlab.com/blog/categories/releases/
• https://gitlab.com/gitlab-org/gitlab/issues/28802
• https://gitlab.com/gitlab-org/gitlab/issues/14947
• https://gitlab.com/gitlab-org/gitlab/issues/32381