GitLab Rectifies Issues for 13 Security Flaws
GitLab urges users to upgrade after admitting to a series of vulnerabilities which could see malicious attackers running commands remotely.
The details about the following vulnerabilities will be revealed in an issue tracker in about 30 days, according to GitLab.
In a statement, GitLab said: “We strongly recommend that all installations running an affected version are upgraded to the latest version as soon as possible”.
GitLab has released three new versions, namely 11.9.12, 11.10.5, and 11.11.1, for GitLab Enterprise Edition (EE) and Community Edition (CE), in order to rectify 13 security flaws.
The first vulnerability is a remote command execution flaw, assigned CVE-2019-12430, which exists in GitLab’s repository download feature. This affects GitLab CE/EE version 11.11 and could allow a malicious user to remotely run commands by utilising the repository download feature.
Second on the list is indexed as CVE-2019-12432, which affects GitLab CE/EE 8.13 and later. GitLab has highlighted this vulnerability could enable non-member users to subscribe to issue notifications so as to access the title of confidential issues through the unsubscription page.
The third flaw could allow restricted users to access the metadata of private milestones through the search API. Assigned CVE-2019-12431, this vulnerability could impact GitLab CE/EE 8.13 and later.
Fourth up, named CVE-2019-12434, affects GitLab CE/EE 10.6 and could mean that attackers could predict the URL slug of private projects, “through the contrast of the destination URLs of issues linked in comments.”
Meanwhile, the fifth bug could disclose metadata of confidential issues including labels and status to restricted users. This flaw impacts CE/EE 11.9 and is assigned CVE-2019-12429.
Another security flaw could allow users to circumvent the compulsory external authentication provider sign-in restrictions. The issue affects CE/EE 6.8 and later has been entitled CVE-2019-12428.
Indexed as CVE-2019-12433, this vulnerability could result in multiple permission issues by allowing the creation of internal projects in private groups. This flaw impacts CE/EE 11.7 and later.
Other glitches rectified in GitLab’s upgraded versions implied users could bypass the mandatory external authentication provider sign-in restrictions or could create internal projects in private groups. Both flaws enabled stored cross-site scripting in Wiki Pages and in Notes.
In addition, GitLab has revealed it has upgraded Knative to version 0.5 for the GitLab 11.11, 11.10 and 11.9 packages. This new release also contains several vulnerability fixes.