GitLab has pushed out version 12.1.6, 12.0.6, and 11.11.8 of the repository management project, mitigating three critical security flaws.
CVE-2019-14944 is the vulnerability potentially affecting the most users, since it concerns all versions back to GitLab CE/CC 10.0. Attackers could use the issue to escalate privileges and remotely execute code, because of improper parameter sanitisation on Gitaly, a service that handles GitLab’s Git calls. Since this can turn out pretty severe, an upgrade is strongly recommended.
The second security problem is down to insecure cookie handling on GitLab Pages. CVE-2019-14942 makes the system vulnerable to man-in the-middle attacks, since authentication cookies could be sent over HTTP and weren’t properly encrypted. The vulnerability was discovered internally and affects versions 11.5 and later.
Hard-coded admin credentials are seldom a great idea, which is why the new versions disable those, along with basic authentication, by default in the bundled Grafana instance. The change makes GitLab SSO the only accepted authentication method, which should reduce the chance of malicious users having a chance to look at internal resources via the Grafana dashboard. The issue is assigned CVE-ID 2019-14943 and affects GitLab CE/EE 12.0 as well as all versions after that.
As per usual with these releases, GitLab will put more vulnerability details on the issue tracker in about a month’s time.