===================================================================== CERT-Renater Note d'Information No. 2023/VULN132 _____________________________________________________________________ DATE : 31/03/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GitLab versions prior to 15.10.1, 15.9.4, 15.8.5. ===================================================================== https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/ _____________________________________________________________________ GitLab Security Release: 15.10.1, 15.9.4, and 15.8.5 Learn more about GitLab Security Release: 15.10.1, 15.9.4, and 15.8.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today we are releasing versions 15.10.1, 15.9.4, and 15.8.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Table of Fixes Title Severity Cross-site scripting in "Maximum page reached" page medium Private project guests can read new changes using a fork medium Mirror repository error reveals password in Settings UI medium DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint medium Unauthenticated users can view Environment names from public projects limited to project members only medium Copying information to the clipboard could lead to the execution of unexpected commands medium Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL medium Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release medium Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown medium MR for security reports are available to everyone medium API timeout when searching for group issues medium Unauthorised user can add child epics linked to victim's epic in an unrelated group medium GitLab search allows to leak internal notes medium Ambiguous branch name exploitation in GitLab low Improper permissions checks for moving an issue low Private project branches names can be leaked through a fork low Cross-site scripting in "Maximum page reached" page An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1)). It is now mitigated in the latest release and is assigned CVE-2022-3513. Thanks ryotak for reporting this vulnerability through our HackerOne bug bounty program. Private project guests can read new changes using a fork An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role could read project updates by doing a diff with a pre-existing fork. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-0485. Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program. Mirror repository error reveals password in Settings UI An information disclosure vulnerability has been discovered in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 will allow an admin to leak password from repository mirror configuration. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-1098. Thanks tennox_ for reporting this vulnerability through our HackerOne bug bounty program. DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-1733. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Unauthenticated users can view Environment names from public projects limited to project members only An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing reading of environment names supposed to be restricted to project members only. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-0319. Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program. Copying information to the clipboard could lead to the execution of unexpected commands An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters are copied from clipboard, allowing unexpected commands to be executed on the victim machine. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N, 5.7). It is now mitigated in the latest release and is assigned CVE-2023-1708. Thanks st4nly0n for reporting this vulnerability through our HackerOne bug bounty program. Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL An issue has been discovered in GitLab affecting versions starting from 15.1 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. A maintainer could modify a webhook URL to leak masked webhook secrets by adding a new parameter to the url. This addresses an incomplete fix for CVE-2022-4342. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, 5.5). It is now mitigated in the latest release and is assigned CVE-2023-0838. Thanks 0xn3va for reporting this vulnerability through our HackerOne bug bounty program. Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. On certain instances, a stored XSS was possible via a malicious email address, which only affected the admins when they tried to impersonate the account with the malicious payload. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-0523. Thanks cryptopone for reporting this vulnerability through our HackerOne bug bounty program. Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown An issue has been discovered in GitLab affecting all versions starting from all versions starting from 15.7 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to iframe arbitrary origins in the browser via specially crafted markdown on any page. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-0155. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. MR for security reports are available to everyone Improper authorization in GitLab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in merge requests. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-1167. This vulnerability has been discovered internally by GitLab team member @minac. API timeout when searching for group issues An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A search timeout could be triggered if a specific HTML payload was used in the issue description. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability has been discovered internally by a GitLab team member. Unauthorised user can add child epics linked to victim's epic in an unrelated group An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to a victim's epic in an unrelated group. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1417. Thanks cryptopone for reporting this vulnerability through our HackerOne bug bounty program. GitLab search allows to leak internal notes A sensitive information disclosure vulnerability in GitLab affecting all versions from 15.0 prior to 15.8.5, 15.9 prior to 15.9.4 and 15.10 prior to 15.10.1 allows an attacker to view the count of internal notes for a given issue. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-1710 Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program. Ambiguous branch name exploitation in GitLab An issue has been discovered in GitLab affecting all versions starting from 8.1 to 15.8.5, and from 15.9 to 15.9.4, and from 15.10 to 15.10.1. It was possible to add a branch with an ambiguous name that could be used to social engineer users. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2023-0450. Thanks inspector-ambitious for reporting this vulnerability through our HackerOne bug bounty program. Improper permissions checks for moving an issue An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-1071. This vulnerability has been discovered internally by the GitLab team. Private project branches names can be leaked through a fork An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when an attacker has a fork of a project that was switched to private. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-3375. Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program. Update Mattermost Mattermost has been updated to versions 7.7.3 and 7.8.2 in order to mitigate security issues. Update curl Curl has been updated to version 8.0.1 in order to mitigate security issues. Update redis Redis has been updated to version 6.2.11 in order to mitigate security issues. Update OpenSSL OpenSSL has been updated to version 'OpenSSL_1_1_1t' in order to mitigate security issues. Non Security Patches This security release also includes the following non-security patches. Into 15.10.1 Cherry pick "Use the ubi packaged libedit-devel" to 15-10-stable Don't autofocus comment field with content editor Sync security policy rule schedules that may have been deleted by bug Fix issue dashboard returning issues from archived projects Into 15.9.4 Resolve "Duplicate todo is created for already mentioned user" Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================