=====================================================================

                                CERT-Renater

                      Note d'Information No. 2023/VULN503

_____________________________________________________________________

DATE                : 01/12/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to
                              16.6.1, 16.5.3, 16.4.3.

=====================================================================
https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1-released/
_____________________________________________________________________

GitLab Security Release: 16.6.1, 16.5.3, 16.4.3

Today we are releasing versions 16.6.1, 16.5.3, 16.4.3 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly
recommend that all GitLab installations be upgraded to one of these
versions immediately. GitLab.com is already running the patched
version.

GitLab releases patches for vulnerabilities in dedicated security
releases. There are two types of security releases: a monthly,
scheduled security release, released a week after the feature
release (which deploys on the 3rd Thursday of each month), and
ad-hoc security releases for critical vulnerabilities. For more
information, you can visit our security FAQ. You can see all of
our regular and security release blog posts here. In addition,
the issues detailing each vulnerability are made public on our
issue tracker 30 days after the release in which they were
patched.

We are dedicated to ensuring all aspects of GitLab that are
exposed to customers or that host customer data are held to the
highest security standards. As part of maintaining good security
hygiene, it is highly recommended that all customers upgrade to
the latest security release for their supported version. You can
read more best practices in securing your GitLab instance in our
blog post.


Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the latest
version as soon as possible.

When no specific deployment type (omnibus, source code, helm
chart, etc.) of a product is mentioned, this means all types are
affected.


Table of fixes

Title                   Severity

XSS and ReDoS in Markdown via Banzai pipeline of Jira 	High

Members with admin_group_member custom permission can add
members with higher role 	High

Release Description visible in public projects despite release
set as project members only through atom response   Medium

Manipulate the repository content in the UI (CVE-2023-3401
bypass) 	Medium

External user can abuse policy bot to gain access to internal
projects 	Medium

Client-side DOS via Mermaid Flowchart 	Medium

Developers can update pipeline schedules to use protected
branches even if they don't have permission to merge 	Medium

Users can install Composer packages from public projects even
when Package registry is turned off 	Medium

Unauthorized member can gain Allowed to push and merge access
and affect integrity of protected branches 	Low

Guest users can react (emojis) on confidential work items
which they cant see in a project 	Low

XSS and ReDoS in Markdown via Banzai pipeline of Jira


Improper neutralization of input in Jira integration configuration
in GitLab CE/EE, affecting all versions from 15.10 prior to
16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allowed
attacker to execute javascript in victim's browser.

This is a high severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now
mitigated in the latest release and is assigned CVE-2023-6033.

Thanks yvvdwf for reporting this vulnerability through our
HackerOne bug bounty program.


Members with admin_group_member custom permission can add
members with higher role

An issue has been discovered in GitLab EE affecting all versions
starting from 16.5 before 16.5.3, all versions starting from 16.6
before 16.6.1. When a user is assigned a custom role with
admin_group_member` enabled, they may be able to add a member with
a higher static role than themselves to the group which may lead
to privilege escalation.

This is a high severity issue 
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1). It is now
mitigated in the latest release and is assigned CVE-2023-6396.

This vulnerability was discovered internally by GitLab team
member jarka.


Release Description visible in public projects despite release
set as project members only through atom response

An issue has been discovered in GitLab affecting all versions
starting from 11.3 before 16.4.3, all versions starting from
16.5 before 16.5.3, all versions starting from 16.6 before
16.6.1. It was possible for unauthorized users to view a
public projects' release descriptions via an atom endpoint
when release access on the public was set to only project
members

This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is
now mitigated in the latest release and is assigned
CVE-2023-3949.

Thanks ashish_r_padelkar for reporting this vulnerability
through our HackerOne bug bounty program.


Manipulate the repository content in the UI (CVE-2023-3401
bypass)

An issue has been discovered in GitLab affecting all
versions before 16.4.3, all versions starting from 16.5
before 16.5.3, all versions starting from 16.6 before
16.6.1. Under certain circumstances, a malicious actor
bypass prohibited branch checks using a specially crafted
branch name to manipulate repository content in the UI.

This is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8). It
is now mitigated in the latest release and is assigned
CVE-2023-5226.

Thanks shells3c for reporting this vulnerability through
our HackerOne bug bounty program.


External user can abuse policy bot to gain access to
internal projects

An issue has been discovered in GitLab EE affecting all
versions starting from 16.2 before 16.4.3, all versions
starting from 16.5 before 16.5.3, all versions starting
from 16.6 before 16.6.1. It was possible for an attacker
to abuse the policy bot to gain access to internal
projects.

This is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). It
is now mitigated in the latest release and is assigned
CVE-2023-5995.

Thanks joaxcar for reporting this vulnerability through
our HackerOne bug bounty program.


Client-side DOS via Mermaid Flowchart

An issue has been discovered in GitLab EE affecting all
versions starting from 10.5 before 16.4.3, all versions
starting from 16.5 before 16.5.3, all versions starting
from 16.6 before 16.6.1. It was possible for an attacker
to cause a client-side denial of service using malicious
crafted mermaid diagram input.

This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It
is now mitigated in the latest release and is assigned
CVE-2023-4912.

Thanks toukakirishima for reporting this vulnerability
through our HackerOne bug bounty program.


Developers can update pipeline schedules to use protected
branches even if they don't have permission to merge

An issue has been discovered in GitLab affecting all
versions starting from 9.2 before 16.4.3, all versions
starting from 16.5 before 16.5.3, all versions starting
from 16.6 before 16.6.1. It was possible for a user with
the Developer role to update a pipeline schedule from an
unprotected branch to a protected branch.

This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is
now mitigated in the latest release and is assigned
CVE-2023-4317.

Thanks js_noob for reporting this vulnerability through our
HackerOne bug bounty program.


Users can install Composer packages from public projects even
when Package registry is turned off

An issue has been discovered in GitLab affecting all versions
starting from 13.2 before 16.4.3, all versions starting from
16.5 before 16.5.3, all versions starting from 16.6 before
16.6.1. It was possible for users to access composer packages
on public projects that have package registry disabled in the
project settings.

This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is
now mitigated in the latest release and is assigned
CVE-2023-3964.

Thanks js_noob for reporting this vulnerability through our
HackerOne bug bounty program.


Unauthorized member can gain Allowed to push and merge access
and affect integrity of protected branches

An issue has been discovered in GitLab EE affecting all versions
starting from 8.13 before 16.4.3, all versions starting from
16.5 before 16.5.3, all versions starting from 16.6 before
16.6.1. It was possible for an attacker to abuse the Allowed to
merge permission as a guest user, when granted the permission
through a group.

This is a low severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is
now mitigated in the latest release and is assigned CVE-2023-4658.

Thanks theluci for reporting this vulnerability through our
HackerOne bug bounty program.


Guest users can react (emojis) on confidential work items
which they cant see in a project

An issue has been discovered in GitLab affecting all versions
starting from 12.1 before 16.4.3, all versions starting from
16.5 before 16.5.3, all versions starting from 16.6 before
16.6.1. It was possible for a Guest user to add an emoji on
confidential work items.

This is a low severity issue
(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is
now mitigated in the latest release and is assigned
CVE-2023-3443.

Thanks ashish_r_padelkar for reporting this vulnerability
through our HackerOne bug bounty program.


Mattermost Security Update

Mattermost has been updated to the latest patch release to
mitigate several security issues.


Update to PG 14.9 and 13.12

PostgreSQL has been updated to 14.9 and 13.12 to mitigate
CVE-2023-39417.


Update pcre2 to 10.42

pcre2 has been updated to version 10.42 to mitigate
CVE-2022-41409.


Non Security Patches

16.6.1

     Install Gitaly dependencies for project archiving
(16.6 backport)
     Fix intermittent 404 errors loading GitLab Pages
     Prefer custom sort order with search in users API
     Backport "Fix group page erroring because of nil user"
to 16-6-stable-ee
     Skip encrypted settings logic for Redis when used by
Mailroom
     Allow + char in abuse detection for global search
     Backport "Move unlock pipeline cron scheduler out of
ee" to 16.6
     Fix bug with pages_deployments files not being deleted
on disk
     Backport - Truncate verification failure message to 255
     Backport "Revert "Merge branch 'sc1-release-goredis'
into 'master'""

16.5.3

     Backport 10871d71b171db38701bfefe15883b05c234ca6d to
16-5-stable
     Geo: Reduce batch size of verification state backfill

16.4.3

     Backport 10871d71b171db38701bfefe15883b05c234ca6d to
16-4-stable
     Backport to 16.4 the fix for test failure due to
"not-existing.com" being registered
     Bump asdf-bootstrapped-verify version on 16.4
     Fix bulk batch export of badges and uploads
     [16.4] ci: Fix broken master by not reading GITLAB_ENV
     Fix assign security check permission checks
     For 16.4: Fix Geo verification state backfill job can
exceed batch size
     Geo: Reduce batch size of verification state backfill

Updating

To update GitLab, see the Update page. To update Gitlab Runner,
see the Updating the Runner page.


Receive Security Release Notifications


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================