Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN138

_____________________________________________________________________

DATE                : 14/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 17.9.2,
                                        17.8.5, 17.7.7.

=====================================================================
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/
_____________________________________________________________________


 GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7

Learn more about GitLab Critical Patch Release: 17.9.2, 17.8.5,
17.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 17.9.2, 17.8.5, 17.7.7 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all self-managed GitLab installations be
upgraded to one of these versions immediately. GitLab.com is
already running the patched version. GitLab Dedicated customers
do not need to take action and will be notified once their
instance has been patched.

GitLab releases fixes for vulnerabilities in patch releases.
There are two types of patch releases: scheduled releases, and
ad-hoc critical patches for high-severity vulnerabilities.
Scheduled releases are released twice a month on the second and
fourth Wednesdays. For more information, you can visit our
releases handbook and security FAQ. You can see all of GitLab
release blog posts here.

For security fixes, the issues detailing each vulnerability are
made public on our issue tracker 30 days after the release in
which they were patched.

We are committed to ensuring all aspects of GitLab that are
exposed to customers or that host customer data are held to the
highest security standards. As part of maintaining good security
hygiene, it is highly recommended that all customers upgrade to
the latest patch release for their supported version. You can
read more best practices in securing your GitLab instance in
our blog post.
Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the latest
version as soon as possible.

When no specific deployment type (omnibus, source code, helm
chart, etc.) of a product is mentioned, this means all types
are affected.


Security fixes

Table of security fixes

Title 	Severity
CVE-2025-25291 and CVE-2025-25292 (third party gem ruby-saml)
Critical

CVE-2025-27407 (third party gem graphql) 	High

Denial of Service Due to Inefficient Processing of Untrusted
Input 	Medium

Credentials disclosed when repository mirroring fails 	Medium

Denial of Service Vulnerability in GitLab Approval Rules due
to Unbounded Field 	Medium

Internal Notes in Merge Requests Are Emailed to Non-Members
Upon Review Submission 	Medium

Maintainer can inject shell code in Google integrations    Low

Guest with custom Admin group member permissions can approve the
users invitation despite user caps 	Low


CVE-2025-25291 and CVE-2025-25292 (third party gem ruby-saml)

GitLab has remediated two privately disclosed security issues
(CVE-2025-25291, CVE-2025-25292) identified in the ruby-saml
library which GitLab uses when SAML SSO authentication is
enabled at the instance or group level. These issues have been
remediated on GitLab.com, and in GitLab CE/EE versions 17.7.7,
17.8.5, and 17.9.2.

On GitLab CE/EE instances using SAML authentication, under
certain circumstances, an attacker with access to a valid signed
SAML document from the IdP could authenticate as another valid
user within the environment's SAML IdP.


Self Managed GitLab: Known Mitigations

Affected customers who cannot immediately update GitLab CE/EE to
address these issues may choose to perform the following
mitigation steps:

Note: This vulnerability requires the attacker to have compromised
a valid user account to perform the authentication bypass.

    Enable GitLab two-factor authentication for all user accounts
on the GitLab self-managed instance (NOTE: Enabling identity
provider multi-factor authentication does not mitigate this
vulnerability) and
    Do not allow the SAML two-factor bypass option in GitLab and
    Require admin approval for automatically created new users
(gitlab_rails['omniauth_block_auto_created_users'] = true)

GitLab Thanks:

    ahacker1 for reporting CVE-2025-25291 through our HackerOne bug
bounty program
    Peter Stöckli (GitHub) for identifying CVE-2025-25292 and
contacting GitLab to coordinate disclosure and remediation across
vendors
    Sixto Martin Garcia (maintainer of the ruby-saml RubyGem) for
their collaboration on remediation and coordinating disclosure


CVE-2025-27407 (third party gem graphql)

GitLab has remediated a privately disclosed security issue
(CVE-2025-27407) identified in the Ruby graphql library, which
affects and has been remediated in GitLab.com, and in GitLab CE/EE
versions 17.7.7, 17.8.5, and 17.9.2.

Under certain circumstances, if an attacker-controlled authenticated
user account attempted to transfer a maliciously-crafted project via
the Direct Transfer feature (note: Direct transfer is in beta stage
and is disabled by default for all self-managed Gitlab instances),
remote code execution is possible. Disabling Direct Transfer removes
risk of exploitation from this issue.


Self-managed GitLab: Known Mitigations

Affected customers who cannot immediately update their GitLab CE/EE
to address these issues may choose to perform the following mitigation
steps:

    Disable migration of groups and projects by direct transfer, if
enabled (disabled by default)

GitLab Thanks:

    yvvdwf for reporting this vulnerability through our HackerOne
bug bounty program
    Robert Mosolgo (ruby-graphql) for their collaboration on
cross-vendor disclosure and remediation


Denial of Service Due to Inefficient Processing of Untrusted Input

An issue was discovered in GitLab CE/EE affecting all versions
before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2.
where a denial of service vulnerability could allow an attacker
to cause a system reboot under certain conditions. This is a
medium severity issue (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.7).
It is now mitigated in the latest release and is assigned
CVE-2024-13054.

Thanks sim4n6 for reporting this vulnerability through our HackerOne
bug bounty program.


Credentials disclosed when repository mirroring fails

An issue was discovered in GitLab EE/CE affecting all versions
starting from 11.5 before 17.7.7, all versions starting from
17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2.
Certain user inputs in repository mirroring settings could
potentially expose sensitive authentication information. This
is a medium severity issue
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). It is now
mitigated in the latest release and is assigned CVE-2024-12380.

Thanks sigitsetiawansss for reporting this vulnerability through
our HackerOne bug bounty program.


Denial of Service Vulnerability in GitLab Approval Rules due to
Unbounded Field

An issue was discovered in GitLab EE affecting all versions
starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9
prior to 17.9.2. A vulnerability in certain GitLab instances
could allow an attacker to cause a denial of service condition
by manipulating specific API inputs. This is a medium severity
issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, 6.5). It
is now mitigated in the latest release and is assigned CVE-2025-1257.

Thanks pwnie for reporting this vulnerability through our
HackerOne bug bounty program.


Internal Notes in Merge Requests Are Emailed to Non-Members Upon
Review Submission

An issue has been discovered in GitLab EE/CE affecting all versions
starting from 16.9 before 17.7.7, all versions starting from 17.8
before 17.8.5, all versions starting from 17.9 before 17.9.2 could
allow unauthorized users to access confidential information intended
for internal use only. This is a medium severity issue
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now
mitigated in the latest release and is assigned CVE-2025-0652.

Thanks foxribeye for reporting this vulnerability through our
HackerOne bug bounty program.


Maintainer can inject shell code in Google integrations

An issue was discovered in GitLab EE affecting all versions starting
from 17.2 before 17.7.7, all versions starting from 17.8 before
17.8.5, all versions starting from 17.9 before 17.9.2. An input
validation issue in the Google Cloud IAM integration feature could
have enabled a Maintainer to introduce malicious code. This is a
low severity issue
(CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N, 3.7). It is now
mitigated in the latest release and is assigned CVE-2024-8402.

Thanks joaxcar for reporting this vulnerability through our
HackerOne bug bounty program.


Guest with custom Admin group member permissions can approve
the users invitation despite user caps

An issue was discovered in GitLab EE affecting all versions from
16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to
17.9.2 which allowed a user with a custom permission to approve
pending membership requests beyond the maximum number of allowed
users. This is a low severity issue
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7). It is now
mitigated in the latest release and is assigned CVE-2024-7296.

Thanks ashish_r_padelkar for reporting this vulnerability through
our HackerOne bug bounty program.


Bump PostgreSQL versions to 14.17 and 16.8

The PostgreSQL project released an update so we are updating to
versions 14.17 and 16.8.


Bug fixes
17.9.2

    PG: Upgrade client libraries and programs to 16.8
    Use correct project when fetching managed resources
templates
    E2E test fix: web ide spec
    Prevent deletion of project_bot users with non-expiring
access tokens
    Backport: Fix missing repo logic
    Backport: Search times out with certain special characters
    Backport: Fix to support custom pipcompile requirement file
with the new DS analyzer
    Update gitlab-development-kit digest to 1305f9b

17.8.5

    Fixes typo on profiles controller spec

17.7.7

    Fixes typo on issues controller spec


Updating

To update GitLab, see the Update page. To update Gitlab Runner,
see the Updating the Runner page.
Receive Patch Notifications

To receive patch blog notifications delivered to your inbox,
visit our contact us page. To receive release notifications via
RSS, subscribe to our patch release RSS feed or our RSS feed for
all releases.
We’re combining patch and security releases

This improvement in our release process matches the industry
standard and will help GitLab users get information about security
and bug fixes sooner, read the blog post here.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================