Now available GitLab 11.6.1, 11.5.6, and 11.4.13 fix a couple of security vulnerabilities affecting versions as far back as 8.0 – an upgrade is strongly recommended.
One of the vulnerabilities can result in the exposure of source code belonging to projects with repositories which are supposed to be available to team members only. It was pinpointed to a missing authorization control and affects users of community and enterprise versions 8.17 and later.
Meanwhile, an improper access control issue can also influence those working with v8.0 or more recent releases. Said vulnerability concerns the todos component and can lead to attackers gaining access to confidential issues or merge requests.
The upgrades also mitigate a server side request forgery issue in the repository mirroring feature. Since the fix forbids mirroring repositories or importing projects in the same network out of the box, admins have to update their outbound request settings after it has been installed if this should stay allowed.
On top of that, the new versions are supposed to fix the disclosure of CI job tokens, job information and secret CI variables under certain circumstances as well as some persistent cross-site scripting issues. Developers and operation folks using Prometheus with GitLab should especially look into upgrading, since the alert endpoint was lacking authentication and the update can help avoiding falsely generated notifications.
Details on the vulnerabilities mentioned are supposed to be released on GitLab’s issue tracker in late January.