=====================================================================

                               CERT-Renater

                   Note d'Information No. 2022/VULN229

_____________________________________________________________________

DATE                : 04/07/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 15.1.1,
                                   15.0.4, 14.10.5.

=====================================================================
https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/
_____________________________________________________________________


  GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5

Learn more about GitLab Critical Security Release: 15.1.1, 15.0.4,
and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 15.1.1, 15.0.4, and 14.10.5 for GitLab
Community Edition (CE) and Enterprise Edition (EE). Please note, this
critical release will also serve as our monthly security release for June.

These versions contain important security fixes, and we strongly
recommend that all GitLab installations be upgraded to one of these
versions immediately. GitLab.com is already running the patched version.

GitLab releases patches for vulnerabilities in dedicated security
releases. There are two types of security releases: a monthly,
scheduled security release, released a week after the feature release
(which deploys on the 22nd of each month), and ad-hoc security releases
for critical vulnerabilities. For more information, you can visit
our security FAQ. You can see all of our regular and security release
blog posts here. In addition, the issues detailing each vulnerability
are made public on our issue tracker 30 days after the release in
which they were patched.

We are dedicated to ensuring all aspects of GitLab that are
exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good
security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported
version. You can read more best practices in securing your
GitLab instance in our blog post.


Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the
latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm
chart, etc.) of a product is mentioned, this means all types
are affected.


Table of Fixes

Title 	Severity

Remote Command Execution via Project Imports 	
critical

XSS in ZenTao integration affecting self hosted
instances without strict CSP 	high

XSS in project settings page 	high

Unallowed users can read unprotected CI variables   high

IP allow-list bypass to access Container Registries 	medium

2FA status is disclosed to unauthenticated users 	medium

Restrict membership by email domain bypass 	medium

IDOR in sentry issues 	medium

Reporters can manage issues in error tracking 	medium

CI variables provided to runners outside of a group's restricted
IP range 	medium

Regular Expression Denial of Service via malicious web server
responses 	medium

Unauthorized read for conan repository 	low

Open redirect vulnerability 	low

Group labels are editable through subproject 	low

Release titles visible for any users if group milestones are
associated with any project releases 	low

Job information is leaked to users who previously were
maintainers via the Runner Jobs API endpoint 	medium



Remote Command Execution via Project Imports

A critical issue has been discovered in GitLab affecting all
versions starting from 14.0 prior to 14.10.5, 15.0 prior to
15.0.4, and 15.1 prior to 15.1.1 where an authorised user could
import a maliciously crafted project leading to remote code
execution. This is a critical severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9). It is
now mitigated in the latest release and is assigned CVE-2022-2185.

Thanks vakzz for reporting this vulnerability through our
HackerOne bug bounty program.


XSS in ZenTao integration affecting self hosted instances without
strict CSP

Insufficient sanitization in GitLab EE's external issue tracker
affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to
15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform
cross-site scripting when a victim clicks on a maliciously crafted
ZenTao link. This is a high severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now
mitigated in the latest release and is assigned CVE-2022-2235.

Thanks joaxcar for reporting this vulnerability through our
HackerOne bug bounty program.


XSS in project settings page

A Stored Cross-Site Scripting vulnerability in the project
settings page in GitLab CE/EE affecting all versions from 14.4
prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1,
allows an attacker to execute arbitrary JavaScript code in
GitLab on a victim's behalf. This is a high severity issue
(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N, 8.1). It is
now mitigated in the latest release and is assigned CVE-2022-2230.

Thanks yvvdwf for reporting this vulnerability through our
HackerOne bug bounty program.


Unallowed users can read unprotected CI variables

An improper authorization issue in GitLab CE/EE affecting all
versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and
15.1 prior to 15.1.1 allows an attacker to extract the value
of an unprotected variable they know the name of in public
projects or private projects they're a member of. This is a
high severity issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5). It
is now mitigated in the latest release and is assigned
CVE-2022-2229.

Thanks shell3c for reporting this vulnerability through our
HackerOne bug bounty program.


IP allow-list bypass to access Container Registries

Incorrect authorization in GitLab EE affecting all versions
from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1
prior to 15.1.1, allowed an attacker already in possession
of a valid Deploy Key or a Deploy Token to misuse it from
any location to access Container Registries even when IP
address restrictions were configured. This is a medium
severity issue
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, 6.5). It
is now mitigated in the latest release and is assigned
CVE-2022-1983.

This issue was found internally by a member of the GitLab
team.


2FA status is disclosed to unauthenticated users

An issue has been discovered in GitLab CE/EE affecting all
versions starting from 13.4 before 14.10.5, all versions
starting from 15.0 before 15.0.4, all versions starting
from 15.1 before 15.1.1. GitLab reveals if a user has
enabled two-factor authentication on their account in
the HTML source, to unauthenticated users. This is a
medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is
assigned CVE-2022-1963.

Thanks albatraoz for reporting this vulnerability through
our HackerOne bug bounty program.


CI variables provided to runners outside of a group's
restricted IP range

Information exposure in GitLab EE affecting all versions
from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and
15.1 prior to 15.1.1 allows an attacker with the
appropriate access tokens to obtain CI variables in a
group with using IP-based access restrictions even if
the GitLab Runner is calling from outside the allowed IP
range. This is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, 5.3). It
is now mitigated in the latest release and is assigned
CVE-2022-2228.

This vulnerability has been discovered internally by
the GitLab team


Restrict membership by email domain bypass

An issue has been discovered in GitLab EE affecting all
versions starting from 12.2 prior to 14.10.5, 15.0 prior
to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group
enables the setting to restrict access to users belonging
to specific domains, that allow-list may be bypassed if a
Maintainer uses the 'Invite a group' feature to invite a
group that has members that don't comply with domain
allow-list. This is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, 5.9). It
is now mitigated in the latest release and is assigned
CVE-2022-1981.

Thanks muthu_prakash for reporting this vulnerability
through our HackerOne bug bounty program.


IDOR in sentry issues

An access control vulnerability in GitLab EE/CE affecting
all versions from 14.8 prior to 14.10.5, 15.0 prior to
15.0.4, and 15.1 prior to 15.1.1, allows authenticated users
to enumerate issues in non-linked sentry projects. This is
a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0). It is
now mitigated in the latest release and is assigned
CVE-2022-2243.

Thanks joaxcar for reporting this vulnerability through
our HackerOne bug bounty program.


Reporters can manage issues in error tracking

An improper authorization vulnerability in GitLab EE/CE
affecting all versions from 14.8 prior to 14.10.5, 15.0 prior
to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers
with reporter role to manage issues in project's error
tracking feature. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is
now mitigated in the latest release and is assigned CVE-2022-2244.

Thanks joaxcar for reporting this vulnerability through
our HackerOne bug bounty program.


Regular Expression Denial of Service via malicious web
server responses

A Regular Expression Denial of Service vulnerability in GitLab
CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0
prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker
to make a GitLab instance inaccessible via specially crafted
web server response headers. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is
now mitigated in the latest release and is assigned
CVE-2022-1954.

Thanks afewgoats for reporting this vulnerability through our
HackerOne bug bounty program.


Unauthorized read for conan repository

An issue has been discovered in GitLab affecting all versions
starting from 12.4 before 14.10.5, all versions starting from
15.0 before 15.0.4, all versions starting from 15.1 before
15.1.1. GitLab was leaking Conan packages names due to incorrect
permissions verification. This is a low severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is
now mitigated in the latest release and is assigned CVE-2022-2270.

Thanks fushbey for reporting this vulnerability through our
HackerOne bug bounty program.


Open redirect vulnerability

An open redirect vulnerability in GitLab EE/CE affecting all
versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4,
and 15.1 prior to 15.1.1, allows redirect users to a malicious
location. This is a low severity issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, 4.7). It is
now mitigated in the latest release and is assigned CVE-2022-2250.

Thanks stealthy for reporting this vulnerability through
our HackerOne bug bounty program.


Group labels are editable through subproject

An issue has been discovered in GitLab CE/EE affecting all
versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4,
and 15.1 prior to 15.1.1. Under certain conditions, using
the REST API an unprivileged user was able to change labels
description. This is a low severity issue
(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N, 3.1). It
is now mitigated in the latest release and is assigned
CVE-2022-1999.

This vulnerability has been discovered internally by the
GitLab team.


Release titles visible for any users if group milestones
are associated with any project releases

An information disclosure vulnerability in GitLab EE
affecting all versions from 12.5 prior to 14.10.5, 15.0
prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure
of release titles if group milestones are associated with
any project releases. This is a low severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6). We
have requested a CVE ID and will update this blog post
when it is assigned.

Thanks ashish_r_padelkar for reporting this vulnerability
through our HackerOne bug bounty program.


Job information is leaked to users who previously were
maintainers via the Runner Jobs API endpoint

Improper access control in the runner jobs API in GitLab
CE/EE affecting all versions prior to 14.10.5, 15.0 prior
to 15.0.4, and 15.1 prior to 15.1.1 allows a previous
maintainer of a project with a specific runner to access
job and project meta data under certain conditions. This
is a low severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N , 3.1). It
is now mitigated in the latest release and is assigned
CVE-2022-2227.

Thanks vaib25vicky for reporting this vulnerability through
our HackerOne bug bounty program.


Update rack

The version of rack has been updated to 2.2.3.1 in order
to mitigate security concerns.


Versions affected

Affects all versions of GitLab CE/EE


Updating

To update GitLab, see the Update page. To update
Gitlab Runner, see the Updating the Runner page.


Receive Security Release Notifications

To receive security release blog notifications delivered to
your inbox, visit our contact us page. To receive release
notifications via RSS, subscribe to our security release RSS
feed or our RSS feed for all releases.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================