GitLab pushes out more security fixes


GitLab has released important security fixes in versions 12.3.2, 12.2.6, and 12.1.12 of GitLab Community Edition (CE) and Enterprise Edition (EE), just a week after the release of GitLab 12.3.

The slew of security fixes cover a range of discovered vulnerabilities in the developer platform and Git-repository manager, and as usual the company strongly recommends that users update their GitLab installations to one of these versions as soon as possible.

One such issue is a cross-site scripting (XSS) issue in markdown preview using the Mermaid plugin. The Mermaid plugin was previously updated in 12.2 and 12.3, but the issue is now mitigated in the latest release, according to GitLab.

A separate issue with uncontrolled resource consumption in markdown using Mermaid has also been fixed. Here, markdown fields were found to have an input validation issue that might result in a denial of service of the affected page.

Another issue addressed is with the Salesforce login integration feature, introduced earlier this year. This flaw could have been exploited by an attacker to create an account that bypassed domain restrictions and email verification requirements. The issue is also now mitigated in the latest release.

Equally serious is an issue with the GitLab SAML integration that would have permitted an attacker to takeover another user’s account.

Other fixes address inadvertent disclosure issues. One occurs when moving to a public project from a private one; the associated private labels and the private project namespace were found to be disclosed through the GitLab API.

Another concerns the disclosure of a project path via unsubscribe link. This applies where the path of a private project used to be public, and the path would be disclosed in the unsubscribe email link of issues and merge requests.

GitLab said it has also patched the Grafana analytics & monitoring tool, which is included in the GitLab Omnibus package for CVE-2018-19039.