The team behind repository management system cum DevOps platform GitLab has released versions 12.5.1, 12.4.4, and 12.3.7 for GitLab Community Edition (CE) and Enterprise Edition (EE) to fix a variety of security issues that mostly affect enterprise users.
Vulnerabilities tackled in the releases range from potential privilege escalation to server-side request forgery to disclosure of private information, so upgrading is strongly recommended. Or at least disabling Elasticsearch.
The integration for the latter has been discovered to contain bugs that disclose private notes or comments on restricted public projects via the API of the Group Search feature, which affects GitLab EE 8.17 and later. Another vulnerability in certain integrations allowed guest members to view branch names and commit messages. Private project data such as issues and merge requests could also be obtained through the project import feature in GitLab EE 8.90 and later.
Users of GitLab EE 9.0 who combine the tool with AWS might want to look into the new release, since certain admin pages potentially disclosed secret keys for the cloud provider in plain text.
Other remediations are available for a bug that could be exploited to perform DNS rebind SSRF attacks through particular chat notifications as well as an issue with improper parameter sanitisation for the Maven package registry. Through this, attackers could escalate privileges and remotely execute code. In another case, improper sanitisation could have resulted in a stored cross-site scripting vulnerability.
While these issues are meant to mainly concern enterprise customers, CE users should think about updating as well, since all previous GitLab versions include a vulnerability that allows guests and non-members to see branch names under certain circumstances. Another one potentially lets former project members access repositories from which they have been removed.