GitLab has released its scheduled monthly security updates versions 13.5.2, 13.4.5, and 13.3.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These contain multiple security fixes for many GitLab components, most reported by users through GitLab’s HackerOne bug bounty system.
Among the security issues identified and fixed are a couple of path traversal vulnerabilities uncovered by users. These security flaws let attackers create malformed paths and save packages in arbitrary locations on the server file system.
GitLab’s own team discovered that the internal Kubernetes agent’s API had a vulnerability that gave unauthorised access to private projects. The team also discovered a flaw in the Terraform API that exposed the object storage signed URL on deletion, meaning a malicious project maintainer could overwrite the Terraform state, bypassing audit and other business controls.
Stored-XSS in error message of build-dependencies
A stored XSS in CI Job Log has been discovered in GitLab CE/EE 12.4 and above. This issue has been mitigated in the latest release and was assigned CVE-2020-13340.
“Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program,” said Gitlab.
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Other problems found and fixed included the undue persistence of one time use git credentials when importing repos via URL in Gitaly, a registry name check process that could be persuaded to use undue CPU and thus form a denial of service attack point, private group information leaking when the group was made public, catastrophic regex backtracking in Advanced Search, and a host of other leaks, holes and authorization infelicities.