SB2020061049 - Multiple vulnerabilities in GitLab, Gitlab Community Edition
Published: June 10, 2020 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2020-13269)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1
2) Incorrect default permissions (CVE-ID: CVE-2020-13270)
The vulnerability allows a remote authenticated user to execute arbitrary code.
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
3) Cross-site scripting (CVE-ID: CVE-2020-13271)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1
Remediation
Install update from vendor's website.
References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13269.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/216528
- https://hackerone.com/reports/864356
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13270.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/24648
- https://hackerone.com/reports/419977
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13271.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/200094
- https://hackerone.com/reports/672150