GitLab’s monthly security update is here, fixing a number of potential cross-site scripting issues, a denial of service vulnerability, and some other bugs allowing users to do things which they probably should not.
Though most of the vulnerabilities mitigated in the release haven’t been assigned a CVE ID yet and detailed information about the individual issues will only be dropped in about a month’s time, the accompanying announcement does its best to convey a sense of urgency. New versions 13.1.2, 13.0.8 and 12.10.13 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been released with the strong recommendation to upgrade “immediately”.
This might be down to 8 out of the 19 bugs fixed in the updates being cross-site scripting vulnerabilities affecting a whole gamut of elements from reference, wiki and error tracking pages to the Bitbucket import feature in GitLab versions down to 8.10.
Other than that, the releases take care of a missing permission check allowing users not part of a project to add time spent on an issue (affecting 12.8 and later) and an insecure authorisation check, which devs with guest permissions could use to view a project’s private security dashboard (in v12.8 to 13.1). Meanwhile teams working GitLab EE 9.4 and above could have their users private activities leaked through an API, which has been fixed as well
Another issue now mitigated allowed project members with maintainer status to create and delete deploy tokens in versions more recent than 12.9, which wasn’t really desired. A denial of service vulnerability that could be exploited in the context of issue comments can be found in those versions as well, which should be even more motivation for an update.
Those who, for some reason or another, are still on a version older than 8.10, should think about long term migration to a newer iteration of the tool since issues found in old releases keep adding up. The current fixes again address a whole three issues affecting all GitLab versions, with vulns allowing html tags to be added to usernames, leaking private merge requests to ex-project members, and opening the way to cross-site scripting attacks via user profile pages.