===================================================================== CERT-Renater Note d'Information No. 2023/VULN363 _____________________________________________________________________ DATE : 29/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GitLab versions prior to 16.4.1, 16.3.5, 16.2.8 ===================================================================== https://about.gitlab.com/releases/2023/09/28/security-release-gitlab-16-4-1-released/ _____________________________________________________________________ GitLab Security Release: 16.4.1, 16.3.5, and 16.2.8 Learn more about GitLab Security Release: 16.4.1, 16.3.5, and 16.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today we are releasing versions 16.4.1, 16.3.5, and 16.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Table of Fixes Title Severity Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project high Group import allows impersonation of users in CI pipelines high Developers can bypass code owners approval by changing a MR's base branch high Leaking source code of restricted project through a fork medium Third party library Consul requires enable-script-checks to be False to enable patch medium Service account not deleted when namespace is deleted allowing access to internal projects medium Enforce SSO settings bypassed for public projects for Members without identity medium Removed project member can write to protected branches medium Unauthorised association of CI jobs for Machine Learning experiments medium Force pipelines to not have access to protected variables and will likely fail using tags medium Maintainer can create a fork relationship between existing projects medium Disclosure of masked CI variables via processing CI/CD configuration of forks medium Asset Proxy Bypass using non-ASCII character in asset URI low Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches low Removed Developer can continue editing the source code of a public project low A project reporter can leak owner's Sentry instance projects low Math rendering in markdown can escape container and hijack clicks low Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2023-5207. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Group import allows impersonation of users in CI pipelines Two issues have been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports. These are a high severity issues (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). They are now mitigated in the latest release and are assigned CVE-2023-5207. These issues have been discovered internally by GitLab team member Joern Schneeweisz. Developers can bypass code owners approval by changing a MR's base branch An issue has been discovered in GitLab EE affecting all versions starting 15.3 prior to prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N, 8.1). It is now mitigated in the latest release and is assigned CVE-2023-4379. This issue was reported by a customer. Leaking source code of restricted project through a fork An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that an unauthorised user to fork a public project. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-3413. Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program. Third party library Consul requires enable-script-checks to be False to enable patch Patch in third party library Consul requires 'enable-script-checks' to be set to False. This only affects GitLab-EE. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, 5.9). It is now mitigated in the latest release. We have requested a CVE ID and will update this blog post when it is assigned. This issue was reported by a customer Service account not deleted when namespace is deleted allowing access to internal projects A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-3914. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Enforce SSO settings bypassed for public projects for Members without identity An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-3115. Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program. Removed project member can write to protected branches An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-5198. Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program. Unauthorised association of CI jobs for Machine Learning experiments An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4532. Thanks ricardobrito for reporting this vulnerability through our HackerOne bug bounty program. Force pipelines to not have access to protected variables and will likely fail using tags Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3917. Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. Maintainer can create a fork relationship between existing projects An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3920. Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program. Disclosure of masked CI variables via processing CI/CD configuration of forks An information disclosure issue in GitLab CE/EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-0989. Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program. Asset Proxy Bypass using non-ASCII character in asset URI An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-3906. Thanks afewgoats for reporting this vulnerability through our HackerOne bug bounty program. Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches An issue has been discovered in GitLab EE affecting all versions starting from X.Y before 16.X, all versions starting from 16.X before 16.X. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted the permission through a group. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-4658. Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program. Removed Developer can continue editing the source code of a public project An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch. . This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-3979. Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program. A project reporter can leak owner's Sentry instance projects An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.x8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4.0 before 16.4.1. It allows a project reporter can leak the owner's Sentry instance projects. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-2233. Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. Math rendering in markdown can escape container and hijack clicks An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L, 3.0). It is now mitigated in the latest release and is assigned CVE-2023-3922. Thanks ammar2 for reporting this vulnerability through our HackerOne bug bounty program. Update Exiftool Exiftool has been updated to version 1.12 in order to mitigate security issues. Update Mattermost Mattermost has been updated to version 8.1.2 in order to mitigate security issues. Update Auto deploy image Auto deploy image has been updated to version 2.55.0 in order to mitigate security issues. Non Security Patches 16.3.5 Backport disable v1 package metadata sync Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================