Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN647 _____________________________________________________________________ DATE : 29/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GitLab versions prior to 18.4.1, 18.3.3, 18.2.7. ===================================================================== https://about.gitlab.com/releases/2025/09/25/patch-release-gitlab-18-4-1-released/ _____________________________________________________________________ GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7 Learn more about GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today, we are releasing versions 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here. For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected. Security fixes Table of security fixes Title Severity Cross-site scripting issue impacts GitLab CE/EE High Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE High Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE High Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE Medium Privilege Escalation issue from within the Developer role impacts GitLab EE Medium Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE Medium Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE Low Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE Low Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE Low Denial of Service issue via string conversion methods impacts GitLab CE/EE Low CVE-2025-9642 - Cross-site scripting issue in Script Gadgets impacts GitLab CE/EE GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to execute actions on behalf of other users by injecting malicious content. Impacted Versions: GitLab CE/EE: all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-10858 - Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to render a GitLab instance unresponsive to legitimate users by sending specifically crafted JSON files. Impacted versions: GitLab CE/EE: all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVE-2025-8014 - Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an unauthenticated user to bypass query complexity limits leading to a Denial of Service condition. Impacted versions: Gitlab EE/CE all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-9958 - Information disclosure issue in virtual registry configuration for low privileged users impacts GitLab CE/EE GitLab has remediated an issue that could have allowed low privileged users access to sensitive information stored in virtual registry configurations. Impacted versions: GitLab CE/EE all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-7691 - Privilege Escalation issue from within the Developer role impacts GitLab EE GitLab has remediated an issue that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities. Impacted versions: GitLab EE all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 CVSS: 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-11042 - Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to cause uncontrolled CPU consumption, potentially leading to a Denial of Service condition while using specific GraphQL queries. Impacted versions: GitLab CE/EE all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability has been discovered internally by GitLab team member Alisa Frunza. CVE-2025-10871 - Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE GitLab has remediated an issue that could allow Project Maintainers improper authorization to assign custom roles to users exceeding the Project Maintainer's security boundary and achieving elevated privileges. Impacted versions: GitLab EE all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 CVSS: 3.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L) This vulnerability was discovered internally by a GitLab team member, Diane Russel. CVE-2025-10867 - Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to create a Denial of Service condition by exploiting an unprotected GraphQL API through repeated requests. Impacted versions: GitLab CE/EE all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L) This vulnerability has been discovered internally by GitLab team member Terri Chu CVE-2025-5069 - Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name, potentially having users transfer sensitive information to the incorrect project. Impacted versions: GitLab CE/EE all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program. CVE-2025-10868 - Denial of Service issue via string conversion methods impacts GitLab CE/EE GitLab has remediated an issue that could have allowed an authenticated user to cause performance degradation, potentially leading to a Denial of Service condition with certain string conversion methods. Impacted versions: GitLab CE/EE all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L) postgreSQL security updates postgreSQL has been updated to version 16.10 which contains fixes for security vulnerabilities including CVE-2025-8713, CVE-2025-8714 and CVE-2025-8715 Bug fixes 18.4.1 Backport of Update the admin user for GET Release Environment QA tests [18.4] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true" Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.4) Backport of 'Prevent deleting group/project when ancestor is marked for deletion at the service level' 18.4: Backport of 'Fix error when applying scanner suggestion' Backport of Ensure proper MCP URL OAuth Discovery for API/V4/MCP Fix database state leak across specs Optimize HandleMalformedStrings middleware for CPU and memory Backport protected branches dropdown copy fix to 18.4 [18.4] Fix flaky parallel design management uploads spec Backport of (Fix FetchModelDefinitionsService) !205687 Backport: Add documentation on how to add DUO_WORKFLOW_SELF_SIGNED_JWT__SIGNING_KEY for DAP installations Backport of 'Geo: fix ActiveRecord::StatementInvalid: PG::UndefinedColumn when querying reverification count' Backport of Return success when status update target already matches [18.4] Allow elastic client adapter to be set Backport of Use isUnsafeLink for xcode protocol Ensure assets get recompiled if cached-assets-hash.txt is empty 18.4 Backport of 'Resolve "Dependency list export with API silently fails license validation"' CI: Make Ubuntu 22.04 FIPS check EE-only (Backport) 18.3.3 Backport 'Bump default ruby version to 3.2.9' Backport of "Use release-environment project id instead of canonical" Backport of 'Danger to not warn in maintained stable branches' to 18.3 Backport of "Upgrade duo workflow client protocol version" Backport of "Filter out duplicate values from the variable options dropdown" 18.3: Backport of 'Fix security widget polling indefinitely when there are sboms' [18.3 backport] Remove CVE-2025-8714 commands from structure.sql Backport 18.3: Do not trim deployment filename in geo secondary [Backport-18.3]Wiki search throws 500 error for some wiki content [18.3] Fix search admin page error when ES server returns forbidden Backport of "Hide secrets manager settings behind feature flag instead of just the license" to 18.3 Backport of Update the admin user for GET Release Environment QA tests [18.3] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true" Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.3) [Backport 18-3] Skip secret push protection for as-if-foss pipeline 18.3: Backport of 'Fix error when applying scanner suggestion' Backport of Ensure proper MCP URL OAuth Discovery for API/V4/MCP Optimize HandleMalformedStrings middleware for CPU and memory Backport to 18.3 of Add job project claims to CI ID Tokens Backport of Return success when status update target already matches [18.3] Fix flaky parallel design management uploads spec Backport 'Fix branches autocomplete paths in the merge request list app' to 18-3 Backport 'Fix Linked file not being on top of the list' to 18-3 [18.3] Allow elastic client adapter to be set Backport of Use isUnsafeLink for xcode protocol 18.3 Backport of 'Resolve "Dependency list export with API silently fails license validation"' Backport: Fix registry matadata database password creation Fall back to c_rehash if there are multiple TLS certificates 18.2.7 Backport of diff comment suggestions line range fix [18.2] Fix search admin page error when ES server returns forbidden [Backport 18.2] Wiki search throws 500 error for some wiki content Backport of 'Danger to not warn in maintained stable branches' to 18.2 Backport 18.2: Do not trim deployment filename in geo secondary Backport of "Use release-environment project id instead of canonical" 18.2: Backport of 'Fix security widget polling indefinitely when there are sboms' Backport of Update the admin user for GET Release Environment QA tests [Backport 18-2] Skip secret push protection for as-if-foss pipeline Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.2) 18.2: Backport of 'Fix error when applying scanner suggestion' Optimize HandleMalformedStrings middleware for CPU and memory Backport to 18.2 of Add job project claims to CI ID Tokens [18.2] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true" [18.2] Fix flaky parallel design management uploads spec Fall back to c_rehash if there are multiple TLS certificates Important notes on upgrading These versions do not include any new migrations, and for multi-node deployments, should not require any downtime. Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates. Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Patch Notifications To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================