SB2020080615 - Multiple vulnerabilities in GitLab Community Edition and Enterprise Edition
Published: August 6, 2020 Updated: August 10, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Memory leak (CVE-ID: CVE-2020-13280)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak via excessive logging of invite email error. A remote attacker can force the application to leak memory and perform denial of service attack.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-13286)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to the git "http.<url>.proxy" setting could be changed when importing a repository via URL. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
3) Input validation error (CVE-ID: CVE-2020-13281)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the project import feature. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-13295)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the Shared Runner. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
5) Improper access control (CVE-ID: CVE-2020-13290)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user without two-factor authentication set up can still access the "/profile/applications" page even when two-factor authentication is required.
6) Stored cross-site scripting (CVE-ID: CVE-2020-13288)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the CI/CD Jobs page. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Improper access control (CVE-ID: CVE-2020-13294)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to access grants were not revoked when a user revoked access to an application. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.
8) Improper access control (CVE-ID: CVE-2020-13291)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the project sharing. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
9) Input validation error (CVE-ID: CVE-2020-13293)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a confusion when using hexadecimal branch names. A remote attacker can use a branch with a hexadecimal name and override an existing hash.
10) Improper Authentication (CVE-ID: CVE-2020-13292)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the required email verification for the OAuth authorization code flow. A remote attacker can bypass authentication process and gain unauthorized access to the application.
11) Improper access control (CVE-ID: CVE-2020-13282)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions after group transfer. A remote authenticated attacker can silently and unexpectedly maintained their access levels when a subgroup is transferred.
12) Stored cross-site scripting (CVE-ID: CVE-2020-13283)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the milestone title field. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
13) Stored cross-site scripting (CVE-ID: CVE-2020-13285)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the tooltip for issue reference numbers. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.