Today we are releasing versions 9.5.4, 9.4.6, and 9.3.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain several security fixes, including fixes for several persistent Cross-Site Scripting (XSS) vulnerabilities, a fix for a hard to exploit race condition in project uploads, a fix for a CSRF token leakage vulnerability, a fix for a bug that could allow deleted repositories to be left on disk and copied by a user that knew their full path, some important Mattermost updates, a fix for a critical vulnerability in the Nokogiri library, a fix for a vulnerability that could allow the disclosure of private SSL certificates in Pages sites, and several more. We recommend that all GitLab installations be upgraded to one of these versions.
Please read on for more details.
Cross-Site Scripting (XSS) vulnerability in profile names
An external security audit performed by Madison Gurkha disclosed a Cross-Site Scripting (XSS) vulnerability in user names that could be exploited in several locations. #36979, #37344
Open Redirect in go-get middleware
Tim Goddard via HackerOne reported that GitLab was vulnerable to an open redirect
vulnerability caused when a specific flag is passed to the go-get
middleware.
This vulnerability could also possibly be used to conduct Cross-Site Scripting
attacks. #31508
Race condition in project uploads
Jobert Abma from HackerOne reported that GitLab was vulnerable to a race condition in project uploads. While very difficult to exploit this race condition could potentially allow an attacker to overwrite a victim's uploaded project if the attacker can guess the name of the uploaded file before it is extracted. #29652
Cross-Site Request Forgery (CSRF) token leakage
naure via HackerOne reported that GitLab was vulnerable to CSRF token leakage via improper filtering of external URLs in relative URL creation. A specially crafted link configured in a project's environments settings could be used to steal a visiting user's CSRF token. #31045
Potential project disclosure via project deletion bug
An internal code review discovered that removed projects were not always being deleted from the file system. This could allow an attacker who knew the full path to a previously deleted project to steal a copy of the repository. These releases prevent the leftover repository from being accessed when creating a new project. The project deletion bug will be fixed in a later release. #36743
Mattermost updates
Mattermost has recently released important security fixes for the Mattermost versions included with GitLab CE+EE Omnibus packages. Details will be made available on Mattermost's website according to their responsible disclosure policy.
White-listed style attribute for table contents in MD enables UI redressing
An external security audit performed by Recurity-Labs discovered a UI redressing vulnerability in the GitLab markdown sanitization library. #36098
DOM clobbering in sanitized MD causes errors
An external security audit performed by Recurity-Labs discovered a DOM clobbering vulnerability in the GitLab markdown sanitization library that could be used to render project pages unreadable. #36104
Nokogiri vendored libxslt library vulnerable to potential integer overflow (CVE-2017-5029 and CVE-2016-4738)
The bundled Nokogiri library has been updated to patch an integer overflow vulnerability. Details are available in the Nokogiri issue. #29992
Security risk in recommended Geo configuration could give all users access to all repositories
An internal code review discovered that GitLab Geo instances could be vulnerable to an attack that would allow any user on the primary Geo instance to clone any repository on a secondary Geo instance. #3271
GitLab Pages private certificate disclosure via symlinks
An external security review conducted by Recurity-Labs discovered a vulnerability in GitLab Pages that could be used to disclose the contents of private SSL keys. #75
Versions affected
Cross-Site Scripting (XSS) vulnerability in profile names:
- GitLab CE+EE 9.3.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
Open Redirect in go-get middleware
- GitLab CE+EE 9.0.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
Race condition in project uploads
- GitLab CE+EE 8.10.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
CSRF token leakage
- GitLab CE+EE 9.0.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
Copying of undeleted repositories
- GitLab CE+EE 9.1.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
White-listed style attribute for table contents in MD enables UI redressing
- GitLab CE+EE 8.3.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
DOM clobbering in sanitized MD causes errors
- GitLab CE+EE 8.3.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
Nokogiri vendored libxslt library vulnerable to potential integer overflow
- GitLab CE+EE 1.0.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
Security risk in recommended Geo secondary configuration could give all users access to all repositories
- GitLab EE 8.6.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
GitLab Pages private certificate disclosure via Symlinks
- GitLab CE+EE 8.6.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3
We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.
Upgrade barometer
These versions do not include any migrations and will not require downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.
Updating
To update, check out our update page.
Enterprise Edition
Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.
Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback