Today we are releasing versions 10.8.2, 10.7.5, and 10.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.
The vulnerability details will be made public on our issue tracker in approximately 30 days.
Please read on for more information regarding this release.
Git updates
We've included updated Git security versions 2.16.4 and 2.14.4 in this latest release for 10.8.2, 10.7.5, and 10.6.6.
For more information, see Git release notes
Removing public deploy keys regression
The delete deploy key operation contained a security issue which could allow an attacker to delete shared deploy keys. The issue is now resolved in the latest release.
Thanks to Christian Seelheim for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 10.1.6 and up.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Users can update their password without entering current password
The settings page contained an unverified password change weakness which could've been used to reset a user's password without knowing the user's current password. This only worked if either the attacker had hijacked a victim's session or had access to a victim's email address to intercept a password reset token.
Thanks to Jobert via HackerOne for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 1.0 and up.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Persistent XSS - Selecting users as allowed merge request approvers
The merge request approvers dropdown in GitLab EE contained a persistent xss issue which is now resolved in the latest release.
Thanks to phillycheeze for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE 9.1 and up.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Persistent XSS - Multiple locations of user selection drop downs
The user select drop down contained a persistent xss issue in GitLab EE which is now resolved in the latest release.
Thanks to phillycheeze for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE 9.1 and up.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
include
directive in .gitlab-ci.yml allows SSRF requests
Arbitrary GET request could be performed against internal resources due to include
directive in .gitlab-ci.yml. Data exfiltration potential is limited to resources that respond with a YAML file following certain constraints. This issue is now resolved in the latest release.
Versions Affected
Affects GitLab EE 10.5 and up.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Permissions issue in Merge Requests Create Service
Users which were not project members could create merge requests via a fork for internal projects. This issue is now resolved in the latest release.
Versions Affected
Affects GitLab CE/EE 10.6.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Arbitrary assignment of project fields using "Import project"
Any project model database column can be controlled on import by fields in the project.json
of an exported project. This issue is now resolved in the latest release.
Thanks to Jobert via HackerOne for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 10.4 and up.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Updating
To update, check out our update page.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback