SB2023063024 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Incorrect Regular Expression (CVE-ID: CVE-2023-3424)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions within the EpicReferenceFilter in any Markdown fields. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

2) Information disclosure (CVE-ID: CVE-2023-2190)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can view new commits to private projects in a fork created while the project was public.

3) Improper access control (CVE-ID: CVE-2023-3444)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to a CODEOWNERS approval bug. A remote user can merge arbitrary code into protected branches.

4) Information disclosure (CVE-ID: CVE-2023-2620)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote administrator can modify a webhook URL to leak masked webhook secrets by manipulating other masked portions.

5) Information disclosure (CVE-ID: CVE-2023-3362)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can access the import error information if a project was imported from GitHub.

6) Information disclosure (CVE-ID: CVE-2023-3102)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application within the value stream analytics controller. A remote attacker can gain access to titles of private issues and merge requests.

7) Improper access control (CVE-ID: CVE-2023-2576)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can remove the CODEOWNERS rules and merge to a protected branch.

8) Cross-site scripting (CVE-ID: CVE-2023-2200)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in email address. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Information disclosure (CVE-ID: CVE-2023-3363)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to webhook token leaks in Sidekiq logs if log format is "default". A local administrator can gain unauthorized access to sensitive information on the system.

10) Information disclosure (CVE-ID: CVE-2023-1936)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can leak the email address of a user who created a service desk issue.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/