SB2022072918 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
Published: July 29, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2022-2512)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to membership changes are not reflected in TODO for confidential notes. A remote user can read updates via TODOs.
2) Improper access control (CVE-ID: CVE-2022-2498)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in pipeline subscriptions. A remote user can trigger new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author.
3) Improper access control (CVE-ID: CVE-2022-2326)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can gain access to a private project through an email invite by using other user's email address as an unverified secondary email.
4) Input validation error (CVE-ID: CVE-2022-2417)
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote administrator can import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project.
5) Improper access control (CVE-ID: CVE-2022-2501)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass IP allow-listing and download artifacts.
6) Improper access control (CVE-ID: CVE-2022-2497)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote administrator can exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server.
7) Path traversal (CVE-ID: CVE-2022-2531)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
8) Information disclosure (CVE-ID: CVE-2022-2539)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can filter issues by contact and organization.
9) Information disclosure (CVE-ID: CVE-2022-2456)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote administrator can use a specially crafted POST request and change their corresponding group or project visibility.
10) Stored cross-site scripting (CVE-ID: CVE-2022-2500)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in job error messages. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
11) Improper Authentication (CVE-ID: CVE-2022-2303)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests. A remote user can bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA.
12) Improper access control (CVE-ID: CVE-2022-2095)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can view a public project's Deploy Key's public fingerprint and name when that key has write permission.
13) Information disclosure (CVE-ID: CVE-2022-2499)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an insecure direct object reference (IDOR) issue in project with Jira integration. A remote user can leak Jira issues.
14) Input validation error (CVE-ID: CVE-2022-2307)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a lack of cascading deletes. A remote administrator can retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited.
15) Improper access control (CVE-ID: CVE-2022-2459)
The vulnerability allows a remote administrator to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the email invited members can join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled
16) Data Handling (CVE-ID: CVE-2022-2534)
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to improper data handling in the Datadog integration. A remote administrator can gain access to sensitive information on the target system.
Remediation
Install update from vendor's website.