Overview :
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.

References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

CVE-2020-10952

 

Today we are releasing versions 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

Arbitrary File Read when Moving an Issue

An arbitrary local file read was possible when an moving issues between projects. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks @vakzz for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 8.5 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Path Traversal in NPM Package Registry

The NPM package registry was vulnerable to a path traversal issue. This issue is now mitigated in the latest release and is assigned CVE-2020-10953

Thanks to @saltyyolk of Chaitin Tech for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 11.7 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

SSRF on Project Import

An SSRF issue was discovered in the project import note feature. This issue is now mitigated in the latest release and is assigned CVE-2020-10956.

Thanks @vakzz for responsibly reporting this vulnerability to us.

Versions Affected

Affected Versions to be added shortly.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

External Users Can Create Personal Snippet

Insufficient access verification lead to unauthorized creation of personal snippets through the API by an external user. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks the GitLab team for finding and reporting this issue.

Versions Affected

Affected Versions to be added shortly

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Triggers Decription Can be Updated by Other Maintainers in Project

A maintainer can modify other maintainers’ pipeline trigger descriptions within the same project. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 9.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Information Disclosure on Confidential Issues Moved to Private Programs

Issues opened in a public project and then moved to a private project reveal the private project namespace through Web-UI and GraphQL API. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks @0xwintermute for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 8.11 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Potential DoS in Repository Archive Download

Repository archives download could be abused to cause large resource consumption on an instance. This issue is now mitigated in the latest release and is assigned CVE-2020-10954.

Thanks the GitLab team for finding and reporting this issue.

Versions Affected

Affected Versions to be added shortly.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Blocked Users Can Still Pull/Push Docker Images

Under certain circumstances a blocked user still had the ability to pull images from the internal container registry of any projects to which the user had access. This issue is now mitigated in the latest release and is assigned CVE-2020-10952.

Thanks @logan5 for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 8.11 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Repository Mirroring not Disabled when Feature not Activated

A project repository could still be mirrored when the feature was not enabled. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks @adam__b for responsibly reporting this vulnerability to us.

Versions Affected

Affected Versions to be added shortly.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Vulnerability Feedback Page Was Leaking Information on Vulnerabilities

The vulnerability feedback page was leaking metadata and comments on vulnerabilities to unauthorized users. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks @rpadovani for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 10.8 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Stored XSS Vulnerability in Admin Feature

A stored XSS vulnerability was discovered in an admin notification feature. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks the GitLab team for finding and reporting this issue.

Versions Affected

Affected Versions to be added shortly.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Upload Feature Allowed a User to Read Unauthorized Exported Files

The upload feature was vulnerable to parameter tampering allowing and unauthorized user to read content available under specific folders. This issue is now mitigated in the latest release and is assigned CVE-2020-10955.

Thanks @manassehzhou for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 11.1 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Unauthorized Users Are Able to See CI Metrics

Restricted CI pipelines metrics could be seen by members even if the pipeline was restricted. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 11.10 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Last Pipeline Status of a Merge Request Leaked

The last status of a restricted pipeline was returned through a query in the merge request widget. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 8.17 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Blind SSRF on FogBugz

A blind SSRF was discovered in the FogBugz integration. This issue is now mitigated in the latest release and a CVE will be assigned shortly.

Thanks @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 8.0 and later.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Update Nokogiri dependency

The Nokogiri dependency has been upgraded to 1.10.8. This upgrade include a security fix for CVE-2020-9795.

Versions Affected

Affects all previous versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Update Pcre2 dependency

The pcre2 dependency has been upgraded to 10.34. This upgrade include a security fix for CVE-2019-20454.

Versions Affected

Affects all previous versions of GitLab CE/EE.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Updating