Today we are releasing versions 11.4.3, 11.3.8, and 11.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.
The vulnerability details will be made public on our issue tracker in approximately 30 days.
Please read on for more information regarding this release.
RCE in Gitlab Wiki API
The wiki API contained an input validation issue which resulted in remote code execution. The issue is now mitigated in the latest release and is assigned CVE-2018-18649.
Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 11.3 and later.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
SSRF in Hipchat integration
The GitLab Hipchat integration was vulnerable to a SSRF issue which allowed an attacker to make requests to any local network resource accessible from the GitLab server. The issue is now mitigated in the latest release and is assigned CVE-2018-18646.
Thanks to @bull for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 5.3 and later.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Cleartext storage of personal access tokens
Personal access tokens were being stored unencrypted as plain text in the database which could result in attackers potentially reading them via SQL injection or other database leaks. The issue is now mitigated in the latest release and is assigned CVE-2018-18641.
Versions Affected
Affects GitLab CE/EE 8.10.0 and later.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Information exposure through stack trace error message
A JSON endpoint was disclosing Gem version information which could result in an attacker discovering vulnerable Gems available on a specific GitLab instance. The issue is now mitigated in the latest release and is assigned CVE-2018-18648.
Versions Affected
Affects GitLab CE/EE 11.2 and later.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Persistent XSS autocomplete
The fragment identifier (hash) of several pages in GitLab contained a lack of input validation and output encoding issue which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2018-18643.
Thanks to @ngalog for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 11.2 and later.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Information exposure in stored browser history
Private project pages had inadequate cache control, which resulted in unauthorized users being able to view them in the browser. The issue is now mitigated in the latest release and is assigned CVE-2018-18640.
Thanks to @8ayac for responsibly reporting this vulnerability to us.
Versions Affected
Affects all versions of GitLab CE/EE
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Information exposure when replying to issues through email
It was found that when replying to an issue through email, with the GitLab email footer included, a user's unsubscribe link would be included in the issue. This information is considered sensitive. The issue is now mitigated in the latest release and is assigned CVE-2018-18645.
Thanks to Bence Nagy for responsibly reporting this vulnerability to us.
Versions Affected
Affects all versions of GitLab CE/EE
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Persistent XSS in License Management and Security Reports
The license management and security reports pages contained a lack of input validation and output encoding which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2018-18642.
Thanks to @ngalog for responsibly reporting this vulnerability to us.
Versions Affected
Security Reports - Affects GitLab EE 10.4.0 and later License Management - Affects GitLab EE 11.0.0 and later
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Metrics information disclosure in Prometheus integration
The GitLab Prometheus integration was vulnerable to an indirect object reference issue which allowed an unauthorized user to see private information. This information includes the project name, environment name, metric name, and metric query. Additionally, an unauthorized user could create false alarms. The issue is now mitigated in the latest release and is assigned CVE-2018-18644.
Thanks to @jobert for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE 11.2 and later.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Unauthorized changes to a protected branch's access levels
The protected_branches api was vulnerable to an issue which allowed an unauthorized user to remove the merge_access_levels
and push_access_levels
objects. This could result in the inability of project participants to push or merge into the branch. The issue is now mitigated in the latest release and is assigned CVE-2018-18647.
Thanks to @jobert for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE 8.11 and later.
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Upgrade Ruby to 2.4.5
The version of Ruby used in the Omnibus package was upgraded to version 2.4.5. Included in this Ruby release are several security fixes.
Upgrade Redis to 3.2.12
The version of Redis used in the Omnibus package was upgraded in the GitLab 11.2 and 11.3 releases. This upgrade was previously included in GitLab 11.4 Omnibus package. Included in this Redis release are several security fixes.
Updating
To update, check out our update page.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback