GitLab Security Release: 11.4.3, 11.3.8, and 11.2.7

Gitlab is an opensource software that can be installed into CVE-2018-18649.

Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.3 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

SSRF in Hipchat integration

The GitLab Hipchat integration was vulnerable to a SSRF issue which allowed an attacker to make requests to any local network resource accessible from the GitLab server. The issue is now mitigated in the latest release and is assigned CVE-2018-18646.

Thanks to @bull for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 5.3 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Cleartext storage of personal access tokens

Personal access tokens were being stored unencrypted as plain text in the database which could result in attackers potentially reading them via SQL injection or other database leaks. The issue is now mitigated in the latest release and is assigned CVE-2018-18641.

Versions Affected

Affects GitLab CE/EE 8.10.0 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Information exposure through stack trace error message

A JSON endpoint was disclosing Gem version information which could result in an attacker discovering vulnerable Gems available on a specific GitLab instance. The issue is now mitigated in the latest release and is assigned CVE-2018-18648.

Versions Affected

Affects GitLab CE/EE 11.2 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Persistent XSS autocomplete

The fragment identifier (hash) of several pages in GitLab contained a lack of input validation and output encoding issue which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2018-18643.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.2 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Information exposure in stored browser history

Private project pages had inadequate cache control, which resulted in unauthorized users being able to view them in the browser. The issue is now mitigated in the latest release and is assigned CVE-2018-18640.

Thanks to @8ayac for responsibly reporting this vulnerability to us.

Versions Affected

Affects all versions of GitLab CE/EE

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Information exposure when replying to issues through email

It was found that when replying to an issue through email, with the GitLab email footer included, a user’s unsubscribe link would be included in the issue. This information is considered sensitive. The issue is now mitigated in the latest release and is assigned CVE-2018-18645.

Versions Affected

Affects all versions of GitLab CE/EE

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Persistent XSS in License Management and Security Reports

The license management and security reports pages contained a lack of input validation and output encoding which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned CVE-2018-18642.

Thanks to @ngalog for responsibly reporting this vulnerability to us.

Versions Affected

Security Reports – Affects GitLab EE 10.4.0 and later
License Management – Affects GitLab EE 11.0.0 and later

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Metrics information disclosure in Prometheus integration

The GitLab Prometheus integration was vulnerable to an indirect object reference issue which allowed an unauthorized user to see private information. This information includes the project name, environment name, metric name, and metric query. Additionally, an unauthorized user could create false alarms. The issue is now mitigated in the latest release and is assigned CVE-2018-18644.

Thanks to @jobert for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 11.2 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Unauthorized changes to a protected branch’s access levels

The protected_branches api was vulnerable to an issue which allowed an unauthorized user to remove the merge_access_levels and push_access_levels objects. This could result in the inability of project participants to push or merge into the branch. The issue is now mitigated in the latest release and is assigned CVE-2018-18647.

Thanks to @jobert for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE 8.11 and later.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Upgrade Ruby to 2.4.5

The version of Ruby used in the Omnibus package was upgraded to version 2.4.5. Included in this Ruby release are several security fixes.

Upgrade Redis to 3.2.12

The version of Redis used in the Omnibus package was upgraded in the GitLab 11.2 and 11.3 releases. This upgrade was previously included in GitLab 11.4 Omnibus package. Included in this Redis release are several security fixes.

Updating

To update, check out our update page.

Gitlab is an opensource software that can be installed into
>
WhatsApp WhatsApp us