GitLab keeps squashing security vulns from days of old


GitLab has released security fixes for a couple of serious vulnerabilities, strongly advising all users to upgrade to versions 12.7.4, 12.6.6, or 12.5.9, since some seem to reach way back.

The once repository management now DevOps platform project was, for example, informed about a bug in the File API, which could result in a cross-site scripting vulnerability, that seems to have been around since the very first GitLab version. The same goes for an issue which was caused by the improper application of authorisation checks and could lead to the disclosure of source code to non-members.

Even more severely, a path traversal vulnerability was introduced in GitLab EE 11.11, which, if combined with another issue, allowed attackers to access files and user data. 

But the list goes on, with user permissions not being validated in the ProjectExportWorker since EE 8.9, a certain API endpoint offering a way of bypassing email verification requirements since EE 12.0, and Denial of Service opportunities via AsciiDoc included since EE 12.6.


Apart from those already mentioned, versions 12.7.4, 12.6.6, or 12.5.9 help with an XSS vulnerability in the create groups functionality, that has been around since EE 11.0. 

Starting from GitLab EE 8.0, unexpired Todos could be used to disclose issues and merge requests, which is also taken care of in the new release, just like an issue introduced in EE 8.8 which allowed the changing of pipeline status of protected branches.

A complete list of the vulns mitigated in the new release can be found in a blog post accompanying the release. The release is the third security focused one of the year, with the last minor release (12.7) being available since late January.

- Advertisement -