The GitLab team has released a round of security updates for its DevOps platform, which it strongly recommends people use to keep setups safe. Amongst other things, versions 14.5.2, 14.4.4, and 14.3.6 are hoped to reduce the risk of privilege escalation and denial of service attacks.
The highest severity issue (CVE-2021-39944) tackled in the releases is a permission validation flaw, that allowed group members with a developer role to become maintainers of projects they imported. The now-mitigated vulnerability affected all versions starting from 11.0 and got a CVSS score of 7.1.
CVE-2021-39935 leads the list of newly fixed medium severity problems, scoring a 6.8 in the CVSS. If left unmediated, the flaw provides external users without developer status with the option to access the CI Lint API on GitLab versions newer than 10.5. The releases also take care of two regular expressions used for comments and quick actions that were “susceptible to catastrophic backtracking that could cause a DOS attack”.
Iterations released after v13.0 suffered improper access control in the GraphQL API, allowing potential attackers to read project access token names from random projects, which should be repaired in the update as well.
While the issues mentioned above have been found through the company’s bug bounty program, the GitLab team itself discovered a collision in access memorization logic in versions newer than 14.3.6. The issue is recorded under CVE-2021-39937 and could lead to elevated privileges under the right (not yet openly specified) set of circumstances. The team also found that, since the release of version 14.0, GitLab logged reset password tokens and new user email tokens (CVE-2021-39919), which should be fixed with the new releases.
Another internally identified vulnerability (CVE-2021-39932) meant that the diff feature could be “used to trigger high load time for users reviewing code changes” leading to a denial of service in versions 11.0+.
Low severity issues fixed with the releases include bugs that allowed HTML injection via the Swagger UI, unauthorised deletion of protected branches, replying to vulnerability report discussions without being a project member, and regular expression denial of service attacks through deploy Slash commands.
The complete list is available on the GitLab blog, though details on the actual vulnerabilities are still rare and might take another 30 days to appear.