GitLab’s usual round of post-feature-release security fixes has just been made available and includes remediation for two cross-site scripting vulnerabilities — so a quick update is strongly recommended.
Versions 14.1.2, 14.0.7, and 13.12.9 of GitLab CE/EE fix a total of 17 issues of varying severity, two of which hit a 8.7 on the common vulnerability scoring system CVSS. The bugs allowed attackers to exploit stored cross-site scripting vulnerabilities via a specially-crafted markdown or default branch name respectively. While the first only affects Mermaid users on GitLab versions newer than 11.4, the second one is more general and made its way into the project with the 13.4 release.
Medium severity issues that got fixed in the new releases allowed developers to access CI variables to which only maintainers should have had access, let them view and delete impersonation tokens for their own account, and get insight into restricted pipeline information.
Since v13.4 there has also been the chance that someone who got their access revoked could still trigger deployments in protected environments, which was mitigated in the current releases. The GitLab team also stumbled upon (and fixed) a problem with the handling of OAuth client IDs, which led to new subscriptions generating OAuth tokens on incorrect client applications — but should be fixed now.
Without the new releases, versions newer than 7.10 suffer from a bug that may let GitLab users gain access to a group through invite URLs meant for another email address, while EE installations on 12.2 and later allowed projects to add members with addresses from blocked domains and disclosed private user emails through group invitations.
Teams that have already made the jump to 14.0 should get updating to make sure only authorised users are able to add metadata when creating new issues. It also helps to protect systems from denial of service attacks caused by malformed commit authors, unauthorised access to vulnerability reports, and user impersonations using the GitLab shell.