Is it that time again already? GitLab pushes out security release remediating XSS and MitM attacks

By Julia Schmidt
-
Is it that time again already? GitLab pushes out security release remediating XSS and MitM attacks

The latest GitLab release has been out for a couple of days, which means it’s time for a new security update for the DevOps platform. Versions 13.4.2, 13.3.7 and 13.2.10 of GitLab Community Edition (CE) and Enterprise Edition (EE) are now available and can help to prevent privilege escalation, cross-site scripting and denial of service attacks.

The company has strongly recommended updating to any of the new versions. However teams that are interested in learning more about the security issues discovered will have to wait for another 30 days as the majority of vulnerabilities mitigated do not even have a CVE-ID assigned yet.

One of the exceptions is CVE-2020-13333, a potential denial of service bug in the release API. The vulnerability affects all versions newer than 13.1 and could increase CPU usage through “certain user supplied values”. Version 13.1 was also the first GitLab version to sport an improper type check in GraphQL, which allowed developers to perform unauthorised actions and was fixed in the new releases.

Another, rather severe issue, dates back to version 12.0. Those not yet ready to update to one of the new versions risk the possibility of arbitrary command execution on Windows runner hosts due to authorisation configurations not being properly checked. 

Internal investigations at GitLab also found problems with Kubernetes environments (CVE-2020-13327) which have the potential for man in the middle attacks, making an upgrade worthwhile.

In addition, the GitLab team removed some issues that let unauthorised users view private custom project templates and led to non-members being able to change the confidentiality attribute of an issue via mutation GraphQL query. Other now-fixed vulnerabilities permitted the deletion of accounts that were still group owners and prevented the proper redaction of to-dos after membership changes.

Most of the vulnerabilities mentioned were reported by users, much like the reflected and stored cross-site scripting issues in various pages and the SVG image preview, which the new versions take care of as well. 

Additional details can be found on the GitLab blog.

Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Docker introduces Build Cloud for accelerated local development
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'
Where next for Jamstack? Netlify survey avoids the word, highlights rise of Astro
Docker buys AtomicJar to integrate container-based test automation
AWS promotes cell-based architecture for 'resilience at scale'