GitLab magically plugs vulnerabilities that could trick, impersonate users

Gitlab Logo
Gitlab Logo

GitLab has pushed out security releases across its Enterprise and Community editions, which the vendor says contain a number of important security fixes.

The releases 11.8.1, 11.7.6 and 11.6.10 cover no less than 18 updates addressing a wide range of vulnerabilities. Needless to say, the company recommends all installations be upgraded to one of these immediately.

This month’s updates are presented in alphabetical order, but let’s examine a few highlights.

A vulnerability in the npm automatic package references could lead to users being tricked into “installing and executing a malicious package from the npm registry.”

Advertisement

Meanwhile, the impersonate user feature apparently contained a vulnerability which could allow for the user being impersonated to escalate privileges.

A brace of flaws in GitLab’s integrations with other products or services have also been listed.

GitLab’s Kubernetes integration had an issue which meant attackers were afforded the opportunity to overwrite an existing Kubernetes with their own cluster. This has been mitigated in the latest release.

And the Prometheus integration was vulnerable to a SSRF which could have given access to internal services.

GitLab also revealed that “The logic to move snippets contained a path traversal vulnerability which is currently resulting in a denial of service but could result in data exposure.”

Apart from these, the vulnerability list spans a range of flaws that could have inadvertently disclosed information on projects to unauthorised users or outsiders.

Details of the vulnerabilities will be made public in about a month’s time, in line with GitLab’s usual practice.

GitLab v11.8 hit the streets just over a week ago. One of the highlights from the vendor’s point of view, was the extension of Static Application Security Testing to JavaScript.

- Advertisement -