GitLab has moved to plug a whole stack of vulnerabilities in its code management/DevOps platform, advising customers to upgrade to the latest versions “immediately”.
The fixes come in just released versions 12.1.2, 12.0.4 and 11.11.7 for its Community and Enterprise Editions, and encompass no less than 14 different issues.
Top of the list – from GitLab’s point of view anyway – is a GitHub integration SSRF (server side request forger) issue, “which could result in an attacker being able to make arbitrary POST requests in a GitLab instance’s internal network.”
Meanwhile, a flawed DNS rebinding protection issue was discovered in url_blocker.rb, which could also result in an SSRF when the library is utilized.
GitLab also flagged up a trigger token impersonation issue, which happens when trigger tokens are not rotated when their ownership changes. This affects versions all the way back to 9.0. Another authorization issue has been uncovered in the “CI badge images endpoint which could result in disclosure of the build status”. This affects all versions.
Other issues include flaws that could enable disclose vulnerability feedback in the security dashboard, and an input validation and output encoding issue in GitLab’s email notification that would result in a persistent XSS. The full list of issues, and links to update versions, can be found here.
Meanwhile, it seems that GitLab has beaten longtime rival GitHub to the punch when it comes to cutting off countries subject to US sanctions.
It emerged last week that GitHub was shutting down access to Devs in a number of countries subject to trade restrictions by the US government. The issue came to light after a developer in Crimea – which was annexed by Russia five years ago – found he could no longer access his repos.
We asked GitLab if it would be following a similar path, but it declined to comment. However, it seems users in Crimea, Cuba, Iran, North Korea, Sudan and Syria, were frozen out a year ago, as the company completed its migration to Google. At the time it said, “Google has informed us that there are legal restrictions that are imposed for those countries…At this time, we can only recommend that you download your code or export relevant projects as a backup.”