Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN435
_____________________________________________________________________

DATE                : 10/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 18.1.2,
                                     18.0.4, 17.11.6.

=====================================================================
https://about.gitlab.com/releases/2025/07/09/patch-release-gitlab-18-1-2-released/
_____________________________________________________________________

 GitLab Patch Release: 18.1.2, 18.0.4, 17.11.6

Learn more about GitLab Patch Release: 18.1.2, 18.0.4, 17.11.6 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today, we are releasing versions 18.1.2, 18.0.4, 17.11.6 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all self-managed GitLab installations be
upgraded to one of these versions immediately. GitLab.com is
already running the patched version. GitLab Dedicated customers
do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There
are two types of patch releases: scheduled releases and ad-hoc
critical patches for high-severity vulnerabilities. Scheduled
releases are released twice a month on the second and fourth
Wednesdays. For more information, please visit our releases
handbook and security FAQ. You can see all of GitLab release
blog posts here.

For security fixes, the issues detailing each vulnerability are
made public on our issue tracker 30 days after the release in
which they were patched.

We are committed to ensuring that all aspects of GitLab that are
exposed to customers or that host customer data are held to the
highest security standards. To maintain good security hygiene, it
is highly recommended that all customers upgrade to the latest
patch release for their supported version. You can read more best
practices in securing your GitLab instance in our blog post.
Recommended Action

We strongly recommend that all installations running a version
affected by the issues described below are upgraded to the
latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm
chart, etc.) of a product is mentioned, it means all types
are affected.


Security fixes

Table of security fixes

Title                                               Severity
Cross-site scripting issue impacts GitLab CE/EE      High
Incorrect authorization issue impacts GitLab CE/EE   Medium
Incorrect authorization issue impacts GitLab EE      Low
Incorrect authorization issue impacts GitLab EE      Low


CVE-2025-6948 - Cross-site scripting issue impacts GitLab
CE/EE

GitLab has remediated an issue that, under certain conditions,
could have allowed a successful attacker to execute actions
on behalf of users by injecting malicious content.

Impacted Versions: all versions from 17.11 before 17.11.6,
18.0 before 18.0.4, and 18.1 before 18.1.2.
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Thanks yvvdwf for reporting this vulnerability through our
HackerOne bug bounty program.


CVE-2025-3396 - Improper authorization issue impacts GitLab
CE/EE

GitLab has remediated an issue that could have allowed
authenticated project owners to bypass group-level forking
restrictions by manipulating API requests.

Impacted Versions: all versions from 13.3 before 17.11.6,
18.0 before 18.0.4, and 18.1 before 18.1.2.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks theluci for reporting this vulnerability through our
HackerOne bug bounty program.


CVE-2025-4972 - Improper authorization issue impacts GitLab EE

GitLab has remediated an issue that could have allowed
authenticated users with invitation privileges to bypass
group-level user invitation restrictions by manipulating
group invitation functionality.

Impacted Versions: all versions from 18.0 before 18.0.4
and 18.1 before 18.1.2.
CVSS: 2.7(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

Thanks mateuszek for reporting this vulnerability through our
HackerOne bug bounty program.


CVE-2025-6168 - Improper authorization issue impacts GitLab
EE

GitLab has remediated an issue that could have allowed
authenticated maintainers to bypass group-level user
invitation restrictions by sending crafted API requests.

Impacted Versions: all versions from 18.0 before 18.0.4 and
18.1 before 18.1.2.
CVSS: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Thanks hunter0xp7 for reporting this vulnerability through
our HackerOne bug bounty program.


rsync security updates

rsync has been updated to version 3.4.1 which contains fixes
for security vulnerabilities including CVE-2024-12084 and
CVE-2024-12088.


Bug fixes

18.1.2

    Backport Exporter 15.5.0 to 18.1 stable
    update gitlab-org/container-registry to v4.23.2-gitlab
    Merge branch '550037-set-static-glab-version-for-release-qa-tests' into 'master'
    Quarantine a flaky test
    Fix code owner validation for roles
    Enable using glab for CI release
    Remove Sidekiq shutdown delay in ConcurrencyLimitSampler
    Refactor blob commit info section (18.1 backport)
    Backport 'Upload cached frontend stable packages' to 18-1-stable-ee
    [Backport 18.1] Reintroduce body for redirect responses
    Show both author and committer in last commit (18.1 backport)
    Fix creation of PATs using UI on relative installations
    [Backport] Zoekt: Only enable global search when nodes are online
    Fix title on empty projects (18.1 backport)
    Rake Doctor Secrets: Fix WebHook error
    Fix comment typos to trigger asset compilation
    Fix E2E test service_ping_default_enabled_spec.rb
    Fix catalog data loader memoization problem in specs
    Backport "Disable the edit button, instead of not rendering it" to 18.1
    Add a redirect status as a success backport to 18.1
    Make sure to load correct loader on every request
    Merge branch 'dattang/build-omnibus-for-release-environment' into '18-1-stable-ee'
    Backport 'dattang/export-release-environment-package-name' into '18-1-stable-ee'
    Quarantine a flaky test
    Backport: 'revert-grpc-1.72' into 18-1
    Merge branch 'jk/cache-assets-for-stable-branch' into 'master'
    Fix the owner for sequence ci_builds_id_seq
    Backport GitLab Exporter 15.5.0 to 18.1 stable
    Merge branch 'dattang/upload-package-for-release-environment' into '18-1-stable'
    Merge branch 'dattang/build-release-environment-package' into '18-1-stable'
    Merge branch 'dattang/fix-release-environment-package-name' into '18-1-stable'
    Stable branch builds: Fix versions parsing


18.0.4

    update gitlab-org/container-registry to v4.21.4-gitlab
    Use 1.59.2 version of glab in release_with_glab_spec.rb
    Quarantine a flaky test
    Remove checksum length expectation from the Gitlab::Git::Repository#checksum
    Fix Protected Tags show page
    Fix code owner validation for roles
    Remove Sidekiq shutdown delay in ConcurrencyLimitSampler
    Refactor blob commit info section (18.0 backport)
    Backport 'Upload cached frontend stable packages' to 18-0-stable-ee
    [Backport 18.0] Reintroduce body for redirect responses
    Show both author and committer in last commit (18.0 backport)
    Backport "Add a spinner for a loading elipsis menu" to 18.0
    Fix title on empty projects (18.0 backport)
    No-op ValidateCiBuildNeedsProjectIdNotNull
    Fix comment typos to trigger asset compilation
    [Backport 18.0] Fix incorrect redirect when branch doesn't include files
    Fix creation of PATs using UI on relative installations

17.11.6

    update gitlab-org/container-registry to v4.19.2-gitlab
    Use 1.59.2 version of glab in release_with_glab_spec.rb
    Quarantine a flaky test
    Remove checksum length expectation from the Gitlab::Git::Repository#checksum
    Fix code owner validation for roles
    Revert "Merge branch 'backport-fix/547265-code-owner-roles-validation-17-11'…
    Backport 'Upload cached frontend stable packages' to 17-11-stable-ee
    Fix comment typos to trigger asset compilation
    Backport 1465f38a to 17.11
    Fix incompatible Rails cache version from 7.1 to 6.1
    Fix creation of PATs using UI on relative installations
    [Backport 17.11] Fix incorrect redirect when branch doesn't include files


Updating

To update GitLab, see the Update page. To update Gitlab Runner,
see the Updating the Runner page.


Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit
our contact us page. To receive release notifications via RSS,
subscribe to our patch release RSS feed or our RSS feed for all
releases.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================