SB2023020119 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2022-3411)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can create a large Issue description via GraphQL and perform a denial of service (DoS) attack.

2) Cross-site request forgery (CVE-ID: CVE-2022-4138)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

3) Input validation error (CVE-ID: CVE-2022-3759)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can upload a specially crafted CI job artifact zip file in a project that uses dynamic child pipelines and perform a denial of service (DoS) attack.

4) Input validation error (CVE-ID: CVE-2023-0518)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can upload a specially crafted Helm chart and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/