SB2022070111 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
Published: July 1, 2022 Updated: July 30, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Improper Authorization (CVE-ID: CVE-2022-2244)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization. A remote user can manage issues in project's error tracking feature.
2) Improper access control (CVE-ID: CVE-2022-2227)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the runner jobs API. A remote user can access job and project meta data under certain conditions.
3) Input validation error (CVE-ID: CVE-2022-1999)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can change labels description.
4) Open redirect (CVE-ID: CVE-2022-2250)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
5) Information disclosure (CVE-ID: CVE-2022-2270)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect permissions verification. A remote user can gain read access to Conan packages names.
6) Input validation error (CVE-ID: CVE-2022-1954)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can send specially crafted web server response headers and perform a denial of service (DoS) attack.
7) Improper access control (CVE-ID: CVE-2022-2243)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and enumerate issues in non-linked sentry projects.
8) Command Injection (CVE-ID: CVE-2022-2185)
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to improper input validation within the Project Imports. A remote user can pass specially crafted data to the application and execute arbitrary commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Improper access control (CVE-ID: CVE-2022-1981)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote administrator can use the "Invite a group" feature to invite a group that has members that don't comply with domain allow-list.
10) Information disclosure (CVE-ID: CVE-2022-2228)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range.
11) Information disclosure (CVE-ID: CVE-2022-1963)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can reveal if a user has enabled two-factor authentication on their account in the HTML source
12) Improper Authorization (CVE-ID: CVE-2022-1983)
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper authorization. A remote administrator can access Container Registries even when IP address restrictions were configured.
13) Improper Authorization (CVE-ID: CVE-2022-2229)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization. A remote attacker can extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of.
14) Stored cross-site scripting (CVE-ID: CVE-2022-2230)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in project settings page. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
15) Cross-site scripting (CVE-ID: CVE-2022-2235)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in ZenTao integration. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
16) Information disclosure (CVE-ID: CVE-2022-2281)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to disclosure of release titles if group milestones are associated with any project releases. A remote user can disclose release titles if group milestones are associated with any project releases
Remediation
Install update from vendor's website.