Headline
CVE-2020-10955: GitLab Security Release: 12.9.1, 12.8.8, and 12.7.8
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
Learn more about GitLab Security Release: 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE)
Today we are releasing versions 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.
The vulnerability details will be made public on our issue tracker in approximately 30 days.
Please read on for more information regarding this release.
Arbitrary File Read when Moving an Issue
An arbitrary local file read was possible when an moving issues between projects. This issue is now mitigated in the latest release and is assigned CVE-2020-10977.
Thanks @vakzz for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.5 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Path Traversal in NPM Package Registry
The NPM package registry was vulnerable to a path traversal issue. This issue is now mitigated in the latest release and is assigned CVE-2020-10953.
Thanks to @saltyyolk of Chaitin Tech for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE 11.7 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
SSRF on Project Import
An SSRF issue was discovered in the project import note feature. This issue is now mitigated in the latest release and is assigned CVE-2020-10956.
Thanks @vakzz for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab 8.10 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
External Users Can Create Personal Snippet
Insufficient access verification lead to unauthorized creation of personal snippets through the API by an external user. This issue is now mitigated in the latest release and is assigned CVE-2020-12275.
Thanks the GitLab team for finding and reporting this issue.
Versions Affected
Affects GitLab EE/CE 12.6 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Triggers Decription Can be Updated by Other Maintainers in Project
A maintainer can modify other maintainers’ pipeline trigger descriptions within the same project. This issue is now mitigated in the latest release and is assigned CVE-2020-10981.
Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 9.0 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Information Disclosure on Confidential Issues Moved to Private Programs
Issues opened in a public project and then moved to a private project reveal the private project namespace through Web-UI and GraphQL API. This issue is now mitigated in the latest release and is assigned CVE-2020-10978.
Thanks @0xwintermute for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.11 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Potential DoS in Repository Archive Download
Repository archives download could be abused to cause large resource consumption on an instance. This issue is now mitigated in the latest release and is assigned CVE-2020-10954.
Thanks the GitLab team for finding and reporting this issue.
Versions Affected
Affects all previous versions of GitLab CE/EE.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Blocked Users Can Still Pull/Push Docker Images
Under certain circumstances a blocked user still had the ability to pull images from the internal container registry of any projects to which the user had access. This issue is now mitigated in the latest release and is assigned CVE-2020-10952.
Thanks @logan5 for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.11 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Repository Mirroring not Disabled when Feature not Activated
A project repository could still be mirrored when the feature was not enabled. This issue is now mitigated in the latest release and is assigned CVE-2020-12277.
Thanks @adam__b for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 10.8 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Vulnerability Feedback Page Was Leaking Information on Vulnerabilities
The vulnerability feedback page was leaking metadata and comments on vulnerabilities to unauthorized users. This issue is now mitigated in the latest release and is assigned CVE-2020-10975 .
Thanks @rpadovani for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 10.8 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Stored XSS Vulnerability in Admin Feature
A stored XSS vulnerability was discovered in an admin notification feature. This issue is now mitigated in the latest release and is assigned CVE-2020-12276.
Thanks the GitLab team for finding and reporting this issue.
Versions Affected
Affects GitLab EE/CE 9.5.9 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Upload Feature Allowed a User to Read Unauthorized Exported Files
The upload feature was vulnerable to parameter tampering allowing and unauthorized user to read content available under specific folders. This issue is now mitigated in the latest release and is assigned CVE-2020-10955.
Thanks @manassehzhou for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 11.1 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Unauthorized Users Are Able to See CI Metrics
Restricted CI pipelines metrics could be seen by members even if the pipeline was restricted. This issue is now mitigated in the latest release and is assigned CVE-2020-10979.
Thanks @xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 11.10 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Last Pipeline Status of a Merge Request Leaked
The last status of a restricted pipeline was returned through a query in the merge request widget. This issue is now mitigated in the latest release and is assigned CVE-2020-10976.
Thanks @xanbanx for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.17 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Blind SSRF on FogBugz
A blind SSRF was discovered in the FogBugz integration. This issue is now mitigated in the latest release and is assigned CVE-2020-10980.
Thanks @ngalog for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab EE/CE 8.0 and later.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Update Nokogiri dependency
The Nokogiri dependency has been upgraded to 1.10.8. This upgrade include a security fix for CVE-2020-7595.
Versions Affected
Affects all previous versions of GitLab CE/EE.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
Update Pcre2 dependency
The pcre2 dependency has been upgraded to 10.34. This upgrade include a security fix for CVE-2019-20454.
Versions Affected
Affects all previous versions of GitLab CE/EE.
Remediation
We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.
New SSH keys not being added to the authorized_keys
file
A bug in GitLab 12.9.0 prevented new SSH keys from being added to the Git user’s authorized_keys
file, effectively breaking Git-over-SSH operations for new users. See issue #212178 for full details.
Versions Affected
Affects GitLab 12.9.0 only.
Remediation
Upgrade to GitLab 12.9.1 or later.
Updating
To update GitLab, see the update page.
Receive Security Release Notifications
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive security release blog notifications via RSS, subscribe to our RSS feed.