SB2023033126 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

Description

This security bulletin contains information about 16 secuirty vulnerabilities.

1) Open redirect (CVE-ID: CVE-2023-0155)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data. A remote user can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

2) Information disclosure (CVE-ID: CVE-2022-3375)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can disclose the branch names when has a fork of a project that was switched to private.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-1071)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper permissions checks. A remote user can remove an issue from an epic.

4) Improper access control (CVE-ID: CVE-2023-0450)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can add a branch with an ambiguous name that could be used to social engineer users.

5) Information disclosure (CVE-ID: CVE-2023-1710)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can view the count of internal notes for a given issue.

6) Improper access control (CVE-ID: CVE-2023-1417)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can add child epics linked to a victim's epic in an unrelated group.

7) Improper Authorization (CVE-ID: CVE-2023-1167)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authorization. A remote attacker can gain access to security reports in merge requests.

8) Stored cross-site scripting (CVE-ID: CVE-2023-0523)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when :soft_email_confirmation feature flag is enabled. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Information disclosure (CVE-ID: CVE-2023-0838)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote administrator can leak masked webhook secrets by adding a new parameter to the webhook URL.

10) Command Injection (CVE-ID: CVE-2023-1708)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to non-printable characters are copied from clipboard. A remote user can pass specially crafted data to the application and execute arbitrary commands on the target system.

11) Information disclosure (CVE-ID: CVE-2023-0319)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can view environment names from public projects limited to project members only.

12) Resource exhaustion (CVE-ID: CVE-2023-1733)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the Prometheus server. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

13) Information disclosure (CVE-ID: CVE-2023-1098)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote administrator can leak password from repository mirror configuration.

14) Information disclosure (CVE-ID: CVE-2023-0485)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can read project updates by doing a diff with a pre-existing fork.

15) Cross-site scripting (CVE-ID: CVE-2022-3513)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "Maximum page reached" page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

16) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can trigger a search timeout if a specific HTML payload is used in the issue description.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/