Multiple vulnerabilities in GitLab Community Edition and Enterprise Edition

1) Memory leak

EUVDB-ID: #VU34099

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13280

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak via excessive logging of invite email error. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 13.0.0 - 13.2.2

GitLab Enterprise Edition: 13.0.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU34115

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13286

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to the git "http.<url>.proxy" setting could be changed when importing a repository via URL. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.7.0 - 13.2.2

GitLab Enterprise Edition: 12.7.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU34114

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13281

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the project import feature. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 8.9.0 - 13.2.2

GitLab Enterprise Edition: 8.9.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU41437

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13295

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in the Shared Runner. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 0.9.4 - 13.2.2

GitLab Enterprise Edition: 6.2.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper access control

EUVDB-ID: #VU41393

Risk: Medium

CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13290

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user without two-factor authentication set up can still access the "/profile/applications" page even when two-factor authentication is required.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 8.4.0 - 13.2.2

GitLab Enterprise Edition: 8.4.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Stored cross-site scripting

EUVDB-ID: #VU41289

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-13288

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the CI/CD Jobs page. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 13.0.0 - 13.2.2

GitLab Enterprise Edition: 13.0.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper access control

EUVDB-ID: #VU41232

Risk: Medium

CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13294

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to access grants were not revoked when a user revoked access to an application. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 7.7.0 - 13.2.2

GitLab Enterprise Edition: 7.7.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper access control

EUVDB-ID: #VU41153

Risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-13291

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the project sharing. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 13.2.0 - 13.2.2

GitLab Enterprise Edition: 13.2.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Input validation error

EUVDB-ID: #VU41143

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-13293

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a confusion when using hexadecimal branch names. A remote attacker can use a branch with a hexadecimal name and override an existing hash.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 0.9.4 - 13.2.2

GitLab Enterprise Edition: 6.2.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper Authentication

EUVDB-ID: #VU41137

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-13292

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests within the required email verification for the OAuth authorization code flow. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 0.9.4 - 13.2.2

GitLab Enterprise Edition: 6.2.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper access control

EUVDB-ID: #VU41132

Risk: Medium

CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13282

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions after group transfer. A remote authenticated attacker can silently and unexpectedly maintained their access levels when a subgroup is transferred.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 0.9.4 - 13.2.2

GitLab Enterprise Edition: 6.2.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Stored cross-site scripting

EUVDB-ID: #VU41130

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-13283

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the milestone title field. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 10.8.0 - 13.2.2

GitLab Enterprise Edition: 10.8.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Stored cross-site scripting

EUVDB-ID: #VU41129

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-13285

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the tooltip for issue reference numbers. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.9.0 - 13.2.2

GitLab Enterprise Edition: 12.9.0 - 13.2.2

CPE2.3

External links

http://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Risk	High
Patch available	YES
Number of vulnerabilities	13
CVE-ID	CVE-2020-13280 CVE-2020-13286 CVE-2020-13281 CVE-2020-13295 CVE-2020-13290 CVE-2020-13288 CVE-2020-13294 CVE-2020-13291 CVE-2020-13293 CVE-2020-13292 CVE-2020-13282 CVE-2020-13283 CVE-2020-13285
CWE-ID	CWE-401 CWE-918 CWE-20 CWE-284 CWE-79 CWE-287
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Gitlab Community Edition Universal components / Libraries / Software for developers GitLab Enterprise Edition Universal components / Libraries / Software for developers
Vendor	GitLab, Inc