SB2019112808 - Multiple vulnerabilities in GitLab Community and Enterprise Edition
Published: November 28, 2019 Updated: December 3, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2019-18460)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper access control in the Comments Search feature provided by the Elasticsearch integration. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Incorrect permission assignment for critical resource (CVE-ID: CVE-2019-18452)
The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.
The vulnerability exists due to insecure permissions when moving an issue to a public project from a private one. A remote attacker can disclose the associated private labels and the private project namespace through the GitLab API.
3) Open redirect (CVE-ID: CVE-2019-18451)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in the InternalRedirect filtering feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
4) Incorrect permission assignment for critical resource (CVE-ID: CVE-2019-18450)
The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.
The vulnerability exists due to insecure permissions in the Project labels feature. A remote authenticated attacker can disclose the project labels through the GitLab API.
5) Information disclosure (CVE-ID: CVE-2019-18448)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to improper access restrictions. A remote authenticated attacker can perform brute-force attack and check if a private repository exists.
6) Infinite loop (CVE-ID: CVE-2019-18455)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when building Nested GraphQL queries. A remote attacker can consume all available system resources and cause denial of service conditions.
7) Improper Authorization (CVE-ID: CVE-2019-18457)
The vulnerability allows an attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in the Sentry tokens handling. A demoted user can gain access to the affected system.
8) Improper Authorization (CVE-ID: CVE-2019-18458)
The vulnerability allows an attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks for transfer projects to another group feature. A remote user with developer rights can move projects.
9) Stored cross-site scripting (CVE-ID: CVE-2019-18454)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in link validation for RDoc wiki pages feature. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
10) Improper Authorization (CVE-ID: CVE-2019-18459)
The vulnerability allows an attacker to bypass authorization checks.
The vulnerability exists due to improper authorization checks in the protected environments feature. A remote attacker can gain access to protected environments even after removal.
11) Improper access control (CVE-ID: CVE-2019-18461)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote attacker can disclose the private sub group path when a sub group epic is added to a public group.
12) Information disclosure (CVE-ID: CVE-2019-18463)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insecure permissions. A remote unauthorised user can list the packages of a group.
13) Information disclosure (CVE-ID: CVE-2019-18462)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insecure permissions. A remote unauthorised user can confirm the name of a private repository.
14) Information disclosure (CVE-ID: CVE-2019-18449)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insecure permissions in the autocomplete feature. A remote unauthorised user can read private groups membership.
15) Incorrect permission assignment for critical resource (CVE-ID: CVE-2019-18447)
The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.
The vulnerability exists due to insecure permissions. A remote authenticated attacker can view the members of a private group.
16) Incorrect permission assignment for critical resource (CVE-ID: CVE-2019-18446)
The vulnerability allows a remote attacker to gain access to otherwise restricted functionality.
The vulnerability exists due to insecure permissions. A remote authenticated attacker can delete the source branch of MR.
17) Improper access control (CVE-ID: CVE-2019-18453)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote demoted user can bypass implemented security restrictions and add comments via email.
18) Information disclosure (CVE-ID: CVE-2019-18456)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insecure permissions in the Search feature provided by Elasticsearch integration. A remote attacker can disclose private comments in restricted groups.
Remediation
Install update from vendor's website.