SB2020110312 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

Description

This security bulletin contains information about 13 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2020-13355)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in LFS Upload. A remote attacker can send a specially crafted HTTP request and overwrite certain specific paths on the server.

2) Path traversal (CVE-ID: CVE-2020-26405)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in package upload functionality. A remote attacker can send a specially crafted HTTP request and save packages in arbitrary locations.

3) Improper access control (CVE-ID: CVE-2020-13358)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the internal Kubernetes agent api. A remote attacker can gain access to private projects.

4) Improper access control (CVE-ID: CVE-2020-13359)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the Terraform API exposes the object storage signed URL on the delete operation. A remote authenticated attacker can overwrite the Terraform state to bypass audit and other business controls.

5) Stored cross-site scripting (CVE-ID: CVE-2020-13340)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in CI Job Log. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Input validation error (CVE-ID: CVE-2020-13354)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the container registry name check can cause exponential number of backtracks for certain user supplied values. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

7) Information disclosure (CVE-ID: CVE-2020-13352)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application when the project is moved from private to public group. A remote attacker can gain unauthorized access to sensitive information on the system.

8) Information disclosure (CVE-ID: CVE-2020-13356)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can use a specially crafted request to bypass Multipart protection and read files in certain specific paths on the server.

9) Cross-site request forgery (CVE-ID: CVE-2020-13350)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in runner administration page. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

10) Unprotected storage of credentials (CVE-ID: CVE-2020-13353)

The vulnerability allows a remote attacker to gain access to other users' credentials.

The vulnerability exists when importing repos via URL, one time use git credentials are persisted beyond the expected time windows. A remote attacker can gain access to passwords for 3rd party integration.

11) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-13351)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to application does not properly impose security restrictions in scheduled pipeline API. A remte attacker can read variable names and values for scheduled pipelines on projects.

12) Incorrect Regular Expression (CVE-ID: CVE-2020-13349)

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to a regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking.

13) Security Features (CVE-ID: CVE-2020-13348)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists du to the required CODEOWNERS approval can be bypassed by targeting a branch without the CODEOWNERS file.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/
• https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13340.json
• https://gitlab.com/gitlab-org/gitlab/-/issues/233473
• https://hackerone.com/reports/950190