Repository management provider GitLab has pushed out critical security releases 12.9.3, 12.8.9, and 12.7.9, remediating issues with GitLab Workhorse, access control, and token logging.
The main vulnerabilities tackled in the new versions are linked to GitLab Workhorse, the company’s reverse proxy for handling large HTTP requests. The now mitigated issues could be used to override restrictions via a particular header, leading to a disclosure of NuGet packages, files, and job artifact uploads in the /tmp directory.
Both problems were uncovered during internal investigations and affect GitLab EE 12.8.0 and later, and versions newer than EE/CE 10.7.0 respectively. GitLab “strongly recommends” users to update to one of the new versions as soon as possible.
Investigations also revealed that GitLab’s Git RPC service Gitaly had a way of logging tokens of optional reverse proxy Praefect since the Omnibus 12.3 release. This was put to an end in the new versions.
Another mitigated issue has been around since GitLab EE/CE 8.15 and meant that “members of a group could still have access after a group is deleted”.
Apart from that, the new versions also include updated Rack and OpenSSL dependencies. While the Rack upgrade fixes an information leak vulnerability that could be used to hijack sessions, the new OpenSSL version mainly clarifies some behaviours.
Details can be found via the release announcement, though users will have to wait at least for the usual 30 days before more information on the vulns will be published.