Repository management platform GitLab has released versions 12.8.2, 12.7.7, and 12.6.8 of its Community and Enterprise offerings, remediating a couple of security issues reaching from SSRF, DoS and XSS risks to good old privilege violation.
Upgrading to one of the new releases is strongly recommended – not least, because some issues affect all previous GitLab versions.
Among other things, the new versions fix endpoint vulnerabilities leading to attackers being potentially able to do directory traversals to read arbitrary files or exposing private project namespaces. The update also helps to prevent account takeovers through expired links, as well as cross-site scripting attacks via merge request pages, MR submission forms, and particular Grafana or file type-related views.
While these vulnerabilities have all been reported from outside of GitLab, internal investigations revealed, for example, a risk for server side request forgery due to a deprecated service. The issue goes back as far as GitLab EE 3.0 and has been mitigated in this release.
Meanwhile all previous versions suffered from a bug that could be used to access foreign LFS objects through the LFS import process, and one that could lead to IP address exposure, which should be reason enough to look into the new releases.
The GitLab team also discovered that a “particular error header was potentially susceptible to injection or potentially other vulnerabilities via unescaped input” which versions 12.8.2, 12.7.7 and 12.6.8 should put an end to. Apart from that, a hiccup meaning project authorisation changes weren’t always applied was fixed and vulnerabilities allowing users to skip the configuration of two-factor authentication, or trying their hand at denial of service attacks via permission checks were taken care of.
A complete list of changes can be found in a blog post detailing the security update.