Arch Linux alert ASA-202107-18 (gitlab)
| From: | Jonas Witschel via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@lists.archlinux.org | |
| Subject: | [ASA-202107-18] gitlab: multiple issues | |
| Date: | Fri, 09 Jul 2021 16:16:44 +0200 | |
| Message-ID: | <20210709141644.lnx2vlnajy6uuwyp@archlinux.org> | |
| Cc: | Jonas Witschel <diabonas@archlinux.org> |
Arch Linux Security Advisory ASA-202107-18 ========================================== Severity: High Date : 2021-07-06 CVE-ID : CVE-2021-22223 CVE-2021-22224 CVE-2021-22225 CVE-2021-22226 CVE-2021-22227 CVE-2021-22228 CVE-2021-22229 CVE-2021-22230 CVE-2021-22231 CVE-2021-22232 CVE-2021-31799 Package : gitlab Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2125 Summary ======= The package gitlab before version 14.0.3-1 is vulnerable to multiple issues including cross-site request forgery, access restriction bypass, arbitrary code execution, arbitrary command execution, cross-site scripting, information disclosure, content spoofing and denial of service. Resolution ========== Upgrade to 14.0.3-1. # pacman -Syu "gitlab>=14.0.3-1" The problems have been fixed upstream in version 14.0.3. Workaround ========== None. Description =========== - CVE-2021-22223 (cross-site scripting) Client-Side code injection through a Feature Flag name in GitLab CE/EE starting with 11.9 and before version 14.0.2 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link. - CVE-2021-22224 (cross-site request forgery) A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before version 14.0.2 allowed an attacker to call mutations as the victim. - CVE-2021-22225 (cross-site scripting) Insufficient input sanitization in markdown in GitLab version 13.11 and up before version 14.0.2 allows an attacker to exploit a stored cross- site scripting vulnerability via specially-crafted markdown. - CVE-2021-22226 (access restriction bypass) Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9 and before version 14.0.2. - CVE-2021-22227 (cross-site scripting) A reflected cross-site script vulnerability in GitLab before version 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it. - CVE-2021-22228 (information disclosure) An issue has been discovered in GitLab affecting all versions before 14.0.2. Improper access control allows unauthorised users to access project details using Graphql. - CVE-2021-22229 (information disclosure) An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8 and before 14.0.2. Under a special condition it was possible to access data of an internal repository through a project fork done by a project member. - CVE-2021-22230 (arbitrary code execution) Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later up to 14.0.2. - CVE-2021-22231 (denial of service) A denial of service on the user's profile page is found starting with GitLab CE/EE 8.0 and before 14.0.2 that allows an attacker to reject access to their profile page by using a specially crafted username. - CVE-2021-22232 (content spoofing) HTML injection was possible via the full name field before version 14.0.2 in GitLab CE. - CVE-2021-31799 (arbitrary command execution) RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4 and 2.6.8 as well as GitLab before version 14.0.2, used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command. Impact ====== A remote attacker could execute arbitrary code, disclose sensitive information, bypass access restrictions, or spoof content. References ========== https://about.gitlab.com/releases/2021/07/01/security-rel... https://gitlab.com/gitlab-org/gitlab/-/issues/293946 https://hackerone.com/reports/1059557 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/324397 https://hackerone.com/reports/1122408 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/331051 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/326684 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/212887 https://hackerone.com/reports/834555 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/332605 https://hackerone.com/reports/1192460 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/332609 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/211976 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/26295 https://hackerone.com/reports/475098 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://gitlab.com/gitlab-org/gitlab/-/issues/300713 https://hackerone.com/reports/1090634 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE... https://www.ruby-lang.org/en/news/2021/05/02/os-command-i... https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe... https://github.com/ruby/ruby/commit/483f303d02e768b69e476... https://github.com/ruby/ruby/commit/fe3c49c9baeeab58304ed... https://security.archlinux.org/CVE-2021-22223 https://security.archlinux.org/CVE-2021-22224 https://security.archlinux.org/CVE-2021-22225 https://security.archlinux.org/CVE-2021-22226 https://security.archlinux.org/CVE-2021-22227 https://security.archlinux.org/CVE-2021-22228 https://security.archlinux.org/CVE-2021-22229 https://security.archlinux.org/CVE-2021-22230 https://security.archlinux.org/CVE-2021-22231 https://security.archlinux.org/CVE-2021-22232 https://security.archlinux.org/CVE-2021-31799