GitLab has strongly recommended users upgrade to its just released latest versions, which fix a potentially very unlucky list of 13 vulnerabilities.
The updates are versions 11.11.1, 11.10.5, and 11.9.12 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Full details of the vulnerabilities will be released a month from now, but yesterday’s release provides a distinct flavour of what they encompass.
Top of the list is a remote command execution vulnerability on GitLab’s repository download feature. This affected v11.11 of both GitLab’s Community and Enterprise Editions and could have permitted a specially crafted payload to allow an authenticated malicious user to execute commands remotely.
Meanwhile, another vulnerability in versions 8.13 and later, meant non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. A third bug meant restricted users could also access the metadata of private milestones through the search API.
Fourth up, a bug in v10.6 and later could let malefactors work out the URL slugs of private projects, “through the contrast of the destination URLs of issues linked in comments.”
And a fifth flaw means metadata for confidential issues, including labels, status and merge request counts, could be exposed to restricted users via the milestone details page. This affected v11.9 and later.
Other glitches implied users could bypass the mandatory external authentication provider sign-in restrictions or could create internal projects in private groups. A pair of flaws allowed stored cross site scripting in Wiki Pages and in Notes, respectively.
And if that’s not enough to be going on with, GitLab adds that Knative was upgraded to version 0.5 for the GitLab 11.11, 11.10 and 11.9 packages. This Knative release contains several security fixes.