Historic vulns found: GitLab pushes out first security release of the 13.x series

By Julia Schmidt
-
Historic vulns found: GitLab pushes out first security release of the 13.x series
Gitlab Logo

With newly found XSS vulnerabilities affecting all prior GitLab EE versions, and user and notification email verification bypasses on the menu, GitLab users are strongly advised to make the jump to just released versions 13.0.1, 12.10.7, and 12.9.8.

In recent security releases enterprise users on newer versions tended to be the center of attention. Not this one, however, as this time the GitLab team (who just released v13 into the wild) came across issues affecting all previous versions. The first one tackled, for example, allows users to set an unverified email address as their notification email. 

The second issue seems a bit more severe because it can be used for denial of service attacks by uploading malicious artifacts and exhausting the platform’s memory. Central to the now mitigated issue is the project’s reverse proxy Workhorse, which was also part of a security flaw in the last security update. Another, an all versions-spanning vulnerability connected to the Repository Files API is restricted to the enterprise flavour and could lead to cross-site scripting attacks. 

This isn’t the only XSS vulnerability the release fixed, as GitLab was also informed about bugs in the static site editor and the metrics dashboards that could be used for such attacks. Both are mitigated in the recent versions. Users on versions newer than 12.0 can get rid of a DoS possibility on custom dashboards by updating their setups, those on 12.9 and later should look into the update to prevent client-side code injection via Mermaid payloads. 

GitLab 13.0.1, 12.10.7, and 12.9.8 also fixed an issue in CE/EE 12.5 and later, which lets users bypass the email verification process, and one in versions newer than 12.3 facilitating the use of OAuth Flow without email verification checks. Moreover, it prevents admins using Amazon EKS from accidentally disclosing their credentials to other administrators looking after the same GitLab instance, or Kubernetes cluster maintainers from sharing their cluster tokens.

If you now want to skip over to CVE and learn more about the severity of these new vulns, you still have to wait a bit, as CVE IDs for most of the issues haven’t been assigned yet. GitLab however promises to offer more details via its issue tracker in about a month, as is the norm for these releases.

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation
AWS promotes cell-based architecture for 'resilience at scale'