GitLab finds integration issues, pushes security fixes

By Julia Schmidt
-
GitLab finds integration issues, pushes security fixes

The team behind repository management system cum DevOps platform GitLab has released versions 12.5.1, 12.4.4, and 12.3.7 for GitLab Community Edition (CE) and Enterprise Edition (EE) to fix a variety of security issues that mostly affect enterprise users. 

Vulnerabilities tackled in the releases range from potential privilege escalation to server-side request forgery to disclosure of private information, so upgrading is strongly recommended. Or at least disabling Elasticsearch.

The integration for the latter has been discovered to contain bugs that disclose private notes or comments on restricted public projects via the API of the Group Search feature, which affects GitLab EE 8.17 and later. Another vulnerability in certain integrations allowed guest members to view branch names and commit messages. Private project data such as issues and merge requests could also be obtained through the project import feature in GitLab EE 8.90 and later.

Users of GitLab EE 9.0 who combine the tool with AWS might want to look into the new release, since certain admin pages potentially disclosed secret keys for the cloud provider in plain text.

Other remediations are available for a bug that could be exploited to perform DNS rebind SSRF attacks through particular chat notifications as well as an issue with improper parameter sanitisation for the Maven package registry. Through this, attackers could escalate privileges and remotely execute code. In another case, improper sanitisation could have resulted in a stored cross-site scripting vulnerability.

While these issues are meant to mainly concern enterprise customers, CE users should think about updating as well, since all previous GitLab versions include a vulnerability that allows guests and non-members to see branch names under certain circumstances. Another one potentially lets former project members access repositories from which they have been removed.

Additional information and CVE entries can be found in the official announcement. The bugfix update comes only days after the release of GitLab 12.5.

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation
AWS promotes cell-based architecture for 'resilience at scale'