GitLab and the Argo CD project have released a number of security fixes, strongly recommending users to upgrade as soon as possible to protect themselves from high severity attacks.
Now available GitLab versions 14.7.1, 14.6.4, and 14.5.4 get rid of 15 newly identified vulnerabilities, including high severity CVE-2022-0427. The bug affects all versions newer than 14.5 and can be used by malicious actors to perform arbitrary POST requests through special HTML attributes in Jupyter Notebooks.
The releases also get rid of a DNS Rebinding vulnerability in the Irker IRC Gateway integration in iterations newer than GitLab 7.9, and an issue with SSL certificate validation for external CI services in most older versions. While the validation bug could be exploited for man in the middle attacks on the connection to said external services, intruders had the chance to trigger Server Side Request Forgery attacks via the DNS rebinding mishap.
The latter isn’t the only SSRF issue fixed in the GitLab updates, though, as bugs in the project import feature and the handling of shared address spaces could lead to similar attacks and were eliminated in the latest releases.
Other reasons to update include vulnerabilities in a variety of previous versions that can help accessing the service desk email address or allow users to search for others by their private emails, no matter if this information was supposed to be handled privately.
Meanwhile Argo CD team fights path traversal attacks
Continuous delivery project Argo CD also had a 7.7 on the Common Vulnerability Scoring System on its hands, although its more generalist nature probably made it somewhat more pressing to fix than the comparatively specialist Jupyter Notebooks bug in GitLab.
The team behind Argo CD had to get patching when a path traversal bug and a related symbolic link issue were discovered in the project. The vulnerabilities allowed attackers to create malicious Helm charts that could be used to extract sensitive information from a system and can be mitigated by updating to v2.1.10, 2.2.5 (2.1.9 and 2.2.4 will do as well but still contain a symlink issue), or the latest 2.3 release candidate. Other workarounds for the issue aren’t available.