GitLab security update – API flaw could have exposed private events

GitLab security update – API flaw could have exposed private events
Gitlab Logo

GitLab released a slew of security updates yesterday, hard on the heels of the announcement of a vulnerability that could have exposed confidential details on public projects.

The code repo and DevOps platform said the bug in GitLab’s Events API code had been reported to it by HackerOne hacker ngalog on September 20. The bug was introduced last year, and returned private events – confidential issues, private merge requests, private milestones and more – related to projects that were marked as public.

GitLab added that the private events were only exposed via the API, and were filtered “as intended” by the UI.

The flaw in question dated back to the Gitlab 9.3 release back in June 2017, and afflicted all versions of GitLab up to 11.3, but has now been mitigated with a hotfix deployed on September 21.

In the meantime, says GitLab, “While we don’t have any indication that the issue was ever misused, we are also unable to say with any certainty that it hasn’t been.”

While this hotfix was deployed last month, the vuln is also listed in the latest slew of security releases for GitLab Community Edition and Enterprise Edition.

Other security fixes include fixing a SSRF vulnerability affecting GitLab CE and EE 10.2 and later, which would have allowed for access to any URL accessible from the GitLab Server, and an SSRF issue related to a missing check for loopback addresses in the validate_localhost function.

There were also a triplet of XSS issues, amongst other – now remediated – vulnerabilities.

Full details of the vulns and the fixes are here.