GitLab has shot out a trio of Security releases for its Community and Enterprise Editions, taking aim at a long list of vulnerabilities in its code management platform.
Versions 11.7.3, 11.6.8, and 11.5.10 “contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.”
The fixes address no less than 26 different issues, ranging across various versions of the GitLab platform, and come just a week after the vendor’s last platform update.
Top of the list is a Remote Command Execution via GitLab Pages, thanks to a directory traversal vulnerability. That should be fixed by upgrading to the latest release.
Second on the list is a covert redirect which could allow a malefactor to steal GitHub or Bitbucket tokens, when installations use GitHub or Bitbucket OAuth integrations. Updating should fix the issue, though some extra tweaking of callback URLs might also be necessary.
The updates disable Gitv2 in GitLab, after it emerged that “A Gitv2 feature used to hide certain internal references does not function correctly, and can reveal hidden refs. This release disables Gitv2 in GitLab until the problem is resolved.”
A series of other issues appear to centre on guests being able to view things they really shouldn’t, such as viewing lists of group merge requests, or last commit status. Likewise, another vuln sent emails to unauthorised users. It was also possible to use a profile name to inject a potentially malicious link into notification emails.
All of which is bad enough, but what could be worse that unauthorised reaction emojis by guest users, on comments they couldn’t even see. Yep, that was a thing too in CE/EE 8.9 and later. Thankfully the vendor has brought random reaction emojis under control with the update.
You can see GitLab’s entire list of vulnerabilities here.