GitLab plugs 14 vulnerabilities in latest security release, beat GitHub in cutting off Crimea et al

By Team Devclass
-
GitLab plugs 14 vulnerabilities in latest security release, beat GitHub in cutting off Crimea et al
Gitlab Logo

GitLab has moved to plug a whole stack of vulnerabilities in its code management/DevOps platform, advising customers to upgrade to the latest versions “immediately”.

The fixes come in just released versions 12.1.2, 12.0.4 and 11.11.7 for its Community and Enterprise Editions, and encompass no less than 14 different issues.

Top of the list – from GitLab’s point of view anyway – is a GitHub integration SSRF (server side request forger) issue, “which could result in an attacker being able to make arbitrary POST requests in a GitLab instance’s internal network.”

Meanwhile, a flawed DNS rebinding protection issue was discovered in url_blocker.rb, which could also result in an SSRF when the library is utilized.

GitLab also flagged up a trigger token impersonation issue, which happens when trigger tokens are not rotated when their ownership changes. This affects versions all the way back to 9.0. Another authorization issue has been uncovered in the “CI badge images endpoint which could result in disclosure of the build status”. This affects all versions.

Other issues include flaws that could enable disclose vulnerability feedback in the security dashboard, and an input validation and output encoding issue in GitLab’s email notification that would result in a persistent XSS. The full list of issues, and links to update versions, can be found here.

Meanwhile, it seems that GitLab has beaten longtime rival GitHub to the punch when it comes to cutting off countries subject to US sanctions.

It emerged last week that GitHub was shutting down access to Devs in a number of countries subject to trade restrictions by the US government. The issue came to light after a developer in Crimea – which was annexed by Russia five years ago – found he could no longer access his repos.

We asked GitLab if it would be following a similar path, but it declined to comment. However, it seems users in Crimea, Cuba, Iran, North Korea, Sudan and Syria, were frozen out a year ago, as the company completed its migration to Google. At the time it said, “Google has informed us that there are legal restrictions that are imposed for those countries…At this time, we can only recommend that you download your code or export relevant projects as a backup.”

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Docker introduces Build Cloud for accelerated local development
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation