=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2024/VULN193
_____________________________________________________________________

DATE                : 12/04/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 16.10.2,
                                       16.9.4, 16.8.6.

=====================================================================
https://about.gitlab.com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/
_____________________________________________________________________

  GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6

Learn more about GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 16.10.2, 16.9.4, 16.8.6 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running
the patched version.

GitLab releases fixes for vulnerabilities in dedicated patch
releases. There are two types of patch releases: scheduled
releases, and ad-hoc critical patches for high-severity
vulnerabilities. Scheduled releases are released twice a month
on the second and fourth Wednesdays. For more information, you
can visit our releases handbook and security FAQ. You can see
all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability
are made public on our issue tracker 30 days after the
release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are
exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good
security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported
version. You can read more best practices in securing your
GitLab instance in our blog post.


Recommended Action

We strongly recommend that all installations running a
version affected by the issues described below are
upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code,
helm chart, etc.) of a product is mentioned, this means
all types are affected.


Security fixes

Table of security fixes

Title 	Severity

Stored XSS injected in diff viewer 	High
Stored XSS via autocomplete results 	High
Redos on Integrations Chat Messages 	Medium
Redos During Parse Junit Test Report 	Medium
Stored XSS injected in diff viewer

An issue has been discovered in GitLab CE/EE affecting
all versions starting from 16.9 before 16.9.4, all
versions starting from 16.10 before 16.10.2. A payload
may lead to a stored XSS while using the diff viewer,
llowing attackers to perform arbitrary actions on behalf
of victims. This is a high severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It
is now mitigated in the latest release and is assigned
CVE-2024-3092.

Thanks yvvdwf for reporting this vulnerability through
our HackerOne bug bounty program.


Stored XSS via autocomplete results

An issue has been discovered in GitLab CE/EE affecting
all versions starting from 16.7 to 16.8.6 all versions
starting from 16.9 before 16.9.4, all versions starting
from 16.10 before 16.10.2. Using the autocomplete for
issues references feature a crafted payload may lead
to a stored XSS, allowing attackers to perform arbitrary
actions on behalf of victims. This is a high severity
issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned
CVE-2024-2279.

Thanks yvvdwf for reporting this vulnerability through our
HackerOne bug bounty program.


Redos on Integrations Chat Messages

A denial of service vulnerability was identified in GitLab
CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4
and 16.10 prior to 16.10.2 which allows an attacker to spike
the GitLab instance resources usage resulting in service
degradation via chat integration feature. This is a medium
severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is
now mitigated in the latest release and is assigned
CVE-2023-6489.

Thanks Anonymizer for reporting this vulnerability through
our HackerOne bug bounty program.


Redos During Parse Junit Test Report

An issue has been discovered in GitLab EE affecting all versions
before 16.8.6, all versions starting from 16.9 before 16.9.4,
all versions starting from 16.10 before 16.10.2. It was
possible for an attacker to cause a denial of service using
malicious crafted content in a junit test report file. This
is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is
now mitigated in the latest release and is assigned
CVE-2023-6678.

Thanks Anonymizer for reporting this vulnerability through our
HackerOne bug bounty program.


Bug fixes

16.10.2

     Quarantine flaky atomic processing ResetSkippedJobsService specs
     Fix include_optional_metrics_in_service_ping during migration to 16.10
     Use alpine:latest instead of alpine:edge in CI images [16.10]
     [16.10] Backport Delete callback should use namespace_id
     [16.10] Backport handle null owner when indexing projects
     Backport Zoekt: Retry indexing if too many requests to 16.10
     Backport https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148596
     Fix URL validator for mirror services when using localhost
     Backport !148105 into 16.10
     Cherry-pick 'fix-omnibus-gitconfig-deprecation' into '16-10-stable'

16.9.4

     Quarantine flaky atomic processing ResetSkippedJobsService specs
     Use alpine:latest instead of alpine:edge in CI images [16.9]

16.8.6

     Quarantine flaky atomic processing ResetSkippedJobsService specs
     Use alpine:latest instead of alpine:edge in CI images [16.8]

Updating

To update GitLab, see the Update page. To update Gitlab Runner,
see the Updating the Runner page.


Receive Patch Notifications

To receive patch blog notifications delivered to your inbox,
visit our contact us page. To receive release notifications
via RSS, subscribe to our patch release RSS feed or our RSS
feed for all releases.


We’re combining patch and security releases

This improvement in our release process matches the industry
standard and will help GitLab users get information about
security and bug fixes sooner, read the blog post here.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================