GitLab has called on users to immediately upgrade their installations, dropping fixes for a range of vulnerabilities that could lead to file and information disclosure, unauthorised access, denial of service, and privilege escalation amongst other things.
Details for most of the issues will be only made public in 30 days’ time, but as usual the company has fleshed some of the issues out in a blog post accompanying the newly released versions 13.3.3, 13.2.7, and 13.1.9 of the self-described DevOps platform.
It for example describes a vulnerability to a stored XSS on the standalone vulnerability page (CVE-2020-13301, severity notes aren’t available yet), and a missing validation to check if job tokens were associated with running jobs, so that outdated tokens could be used for unauthorised resource access (CVE-2020-13284).
Speaking of access, the GitLab team fixed the handling of sign-in parameters, making the login less vulnerable to brute-force attacks (CVE-2020-13289). It also took care of session revocation, since some mishaps there allowed malicious users to access user accounts with old passwords (CVE-2020-13302), or obtain valid sessions (CVE-2020-13299).
While the latter affects all previous versions, it isn’t the only almost historic issue mitigated in the releases. Up until now, all versions lacked some aspects of authorisation control, which allowed unauthorised project maintainers to edit subgroup badges (CVE-2020-13313). They also contained a bug in the repository mirroring feature making the platform vulnerable to blind SSRF attacks (CVE-2020-13309), and miss a rate limit on the Webhook feature (CVE-2020-13306) that could be used for denial of service attacks.
Other issues affecting all releases that are fixed in the updates include improper verification of permissions leading to users accessing private repos in public projects (CVE-2020-13303), a way to access disabled repositories (CVE-2020-13316), and a lacking invalidation mechanism for project invitation links (CVE-2020-13305). Apart from that they correct a couple of bugs around two factor authentication.
Reverse proxy Workhorse still isn’t immune to vulns, which is why the current security update also includes a mediation for a file disclosure issue (CVE-2020-13298).
Meanwhile teams making use of the EKS integration on GitLab 8.9 or later should consider upgrading as well, as the company found ways to conduct a cross-account assume role attack, which could be used to take over AWS accounts (CVE-2020-13318).