Repository management cum DevOps platform GitLab has urged users to update their installations after revealing vulns which include one that allows attackers to “use a malicious NuGet package to read any *.nupkg file on the system” on its enterprise versions newer than 12.8.
The fixes are contained in freshly emitted versions 12.10.2, 12.9.5, 12.8.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Even though the word severe doesn’t make an appearance in this security announcement, GitLab “strongly recommends” users of all affected versions to upgrade to a newer one, which should keep them from accidentally revealing secrets and similar mishaps.
In addition to the “use a malicious NuGet package to read any *.nupkg file on the system” issue in GitLab EE versions newer than 12.8 (assigned CVE-2020-12448), version 12.8 and later (CE and EE) were also exposed to a vulnerability (CVE-2020-10187) that lets users retrieve OAuth application client secrets after authorization has taken place.
Another possible access violation issue can be found in GitLab EE/CE 11.5 and later. The now fixed bug could be utilised to bypass GitLab Workhorse and read files in “certain specific paths on the server”. Meanwhile, GitLab EE 12.6 and later as well as 12.9 and its successors contain vulnerabilities that could be used to skip a code owner’s approval to changes, so updating really sounds like a sensible idea.
Apart from that, versions 12.10.2, 12.9.5, 12.8.10 also correct some issues that could have been used to make the admin audit page inaccessible, and gain knowledge of passwords to repository mirrors, personal access tokens, as well as private project IDs.
The GitHub rival said more details would become available in about 30 days.