GitLab updates fix 22 vulnerabilities, including two it missed last time around…

Gitlab Logo
Gitlab Logo

GitLab has recommended users update “immediately” to a trio of revamped versions which fix over a score of vulnerabilities in its platform

The updates – v12.2.3, v12.1.8 and v12.0.8 – apply to its Community and Enterprise editions, and were released yesterday.

Top of GitLab’s list is a Kubernetes Integration Server-Side Request Forgery issue, which could allow an attacker to “request any local network resource accessible from the GitLab server.” The vulnerability affects GitLab 10.1 and all subsequent versions.

Second up, “An internal review determined that the Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack.” This could have allowed requests to any resources accessible in the local network. The issue affects versions 8.14 and later.


The firm also promises “improved protection against credential stuffing attacks”, with the addition of a reCaptcha challenge option when certain failed login attempts conditions are met. If you want to delight your users with this feature, it can be enabled via the Admin Area.

Meanwhile, the firm has disclosed that “particular mathematic expressions in GitLab Markdown can exhaust client resources”, and this has now been mitigated. However, “Merge Requests, Issues, Wiki Pages, and other areas with GitLab Markdown containing lots of math formulae or long formulae may need to be split up”.

Other issues fixed in the latest updates include an unintentional pipeline status disclosure from an internal end point. Another pesky endpoint, “unintentionally allowed group maintainers to view and edit group runner settings.”

And, finally, it was discovered that “Two previous Gitaly SSRF fixes were mistakenly not included in GitLab 12.2” but are fixed in the just released versions. Which just shows, the fight for security never ends, even when you think it has.

The full list of vulnerabilities is available here.

- Advertisement -