Is it that time again already? GitLab pushes out security release remediating XSS and MitM attacks


The latest GitLab release has been out for a couple of days, which means it’s time for a new security update for the DevOps platform. Versions 13.4.2, 13.3.7 and 13.2.10 of GitLab Community Edition (CE) and Enterprise Edition (EE) are now available and can help to prevent privilege escalation, cross-site scripting and denial of service attacks.

The company has strongly recommended updating to any of the new versions. However teams that are interested in learning more about the security issues discovered will have to wait for another 30 days as the majority of vulnerabilities mitigated do not even have a CVE-ID assigned yet.

One of the exceptions is CVE-2020-13333, a potential denial of service bug in the release API. The vulnerability affects all versions newer than 13.1 and could increase CPU usage through “certain user supplied values”. Version 13.1 was also the first GitLab version to sport an improper type check in GraphQL, which allowed developers to perform unauthorised actions and was fixed in the new releases.

Another, rather severe issue, dates back to version 12.0. Those not yet ready to update to one of the new versions risk the possibility of arbitrary command execution on Windows runner hosts due to authorisation configurations not being properly checked. 

Internal investigations at GitLab also found problems with Kubernetes environments (CVE-2020-13327) which have the potential for man in the middle attacks, making an upgrade worthwhile.

In addition, the GitLab team removed some issues that let unauthorised users view private custom project templates and led to non-members being able to change the confidentiality attribute of an issue via mutation GraphQL query. Other now-fixed vulnerabilities permitted the deletion of accounts that were still group owners and prevented the proper redaction of to-dos after membership changes.

Most of the vulnerabilities mentioned were reported by users, much like the reflected and stored cross-site scripting issues in various pages and the SVG image preview, which the new versions take care of as well. 

Additional details can be found on the GitLab blog.