Sealed with an XSS: It’s that time of the month again, so go update GitLab

By Julia Schmidt
-
Sealed with an XSS: It’s that time of the month again, so go update GitLab

GitLab’s monthly security update is here, fixing a number of potential cross-site scripting issues, a denial of service vulnerability, and some other bugs allowing users to do things which they probably should not.

Though most of the vulnerabilities mitigated in the release haven’t been assigned a CVE ID yet and detailed information about the individual issues will only be dropped in about a month’s time, the accompanying announcement does its best to convey a sense of urgency. New versions 13.1.2, 13.0.8 and 12.10.13 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been released with the strong recommendation to upgrade “immediately”.

This might be down to 8 out of the 19 bugs fixed in the updates being cross-site scripting vulnerabilities affecting a whole gamut of elements from reference, wiki and error tracking pages to the Bitbucket import feature in GitLab versions down to 8.10. 

Other than that, the releases take care of a missing permission check allowing users not part of a project to add time spent on an issue (affecting 12.8 and later) and an insecure authorisation check, which devs with guest permissions could use to view a project’s private security dashboard (in v12.8 to 13.1). Meanwhile teams working GitLab EE 9.4 and above could have their users private activities leaked through an API, which has been fixed as well

Another issue now mitigated allowed project members with maintainer status to create and delete deploy tokens in versions more recent than 12.9, which wasn’t really desired. A denial of service vulnerability that could be exploited in the context of issue comments can be found in those versions as well, which should be even more motivation for an update.

Those who, for some reason or another, are still on a version older than 8.10, should think about long term migration to a newer iteration of the tool since issues found in old releases keep adding up. The current fixes again address a whole three issues affecting all GitLab versions, with vulns allowing html tags to be added to usernames, leaking private merge requests to ex-project members, and opening the way to cross-site scripting attacks via user profile pages.

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation
AWS promotes cell-based architecture for 'resilience at scale'