SB2020041448 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) HTTP Request Smuggling (CVE-ID: CVE-2020-11505)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to a particular header can be used to override restriction and results in GitLab Workhorse disclosing NuGet packages and files in the "/tmp" directory. A remote attacker can send a specially crafted HTTP request to the application, perform a request smuggling attack and gain access to sensitive information on the target system.

2) HTTP Request Smuggling (CVE-ID: CVE-2020-11506)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to a particular header can be used to override restrictions and results in GitLab Workhorse disclosing job artifact uploads and files in the "/tmp" directory. A remote attacker can send a specially crafted HTTP request to the application, perform a request smuggling attack and gain access to sensitive information on the target system.

3) Improper access control (CVE-ID: CVE-2020-11649)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote members of a group can still have access after the group is deleted.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/blog/categories/releases/
• https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/