SB2021030910 - Multiple vulnerabilities in GitLab
Published: March 9, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Path traversal (CVE-ID: N/A)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in GitLab Workhors. A remote user can send a specially crafted HTTP request and obtain JWT tokens of other users.
2) Cleartext storage of sensitive information (CVE-ID: N/A)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to marshalled session keys are stored in Redis. A local user can read the Redis database and obtain session keys.
3) Stored cross-site scripting (CVE-ID: CVE-2021-22185)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in wiki pages. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Authorization bypass through user-controlled key (CVE-ID: CVE-2021-22186)
The vulnerability allows a remote user to gain access to otherwise restricted functionality.
The vulnerability exists due to incorrect permission checks in the API. A remote authenticated user with privileges of a group maintainer can modify group CI/CD variables, which should be restricted to group owners.
Remediation
Install update from vendor's website.