Deprecated: Function get_magic_quotes_gpc() is deprecated in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 99
Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 619
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 832
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839 GitLab Security Releaseshttps://about.gitlab.com/releases2025-10-16T00:00:00+00:00The GitLab TeamGitLab Patch Release: 18.4.2, 18.3.4, 18.2.8https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/2025-10-08T00:00:00+00:002025-10-08T00:00:00+00:00Kat Wu<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.4.2, 18.3.4, 18.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. To maintain good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-11340---incorrect-authorization-issue-in-graphql-mutations-impacts-gitlab-ee">Incorrect authorization issue in GraphQL mutations impacts GitLab EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-10004---denial-of-service-issue-in-graphql-blob-type-impacts-gitlab-ceee">Denial of Service issue in GraphQL blob type impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-9825---missing-authorization-issue-in-manual-jobs-impacts-gitlab-ceee">Missing authorization issue in manual jobs impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-2934---denial-of-service-issue-in-webhook-endpoints-impacts-gitlab-ceee">Denial of Service issue in webhook endpoints impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-11340---incorrect-authorization-issue-in-graphql-mutations-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-11340">CVE-2025-11340</a> - Incorrect authorization issue in GraphQL mutations impacts GitLab EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.<br />
<strong>Impacted Versions</strong>: GitLab EE: all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 <br />
<strong>CVSS</strong>: 7.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code></a>)</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/bwill">Brian Williams</a>.</p>
<h3 id="cve-2025-10004---denial-of-service-issue-in-graphql-blob-type-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-10004">CVE-2025-10004</a> - Denial of Service issue in GraphQL blob type impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could make the GitLab instance unresponsive or degraded by sending crafted GraphQL queries requesting large repository blobs.<br />
<strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 <br />
<strong>CVSS</strong>: 7.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-9825---missing-authorization-issue-in-manual-jobs-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-9825">CVE-2025-9825</a> - Missing authorization issue in manual jobs impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.<br />
<strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 <br />
<strong>CVSS:</strong> 5.0 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-2934---denial-of-service-issue-in-webhook-endpoints-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-2934">CVE-2025-2934</a> - Denial of Service issue in webhook endpoints impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue impacting an upstream Ruby Core library that could have allowed an authenticated user to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses. This issue was reported to Ruby Core maintainers on July 17, 2025.<br />
<strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2<br />
<strong>CVSS:</strong> 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/ppee">ppee</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1842">18.4.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206259">Backport of 'Added safety chaining to pipeline helper'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206057">Workhorse: Improve large HTTP handling for DWS proxy</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206161">Backport of 'Fix: no implicit conversion of String into Array' in Geo::Event workers</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206330">Backport: Fix agentic chat</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206833">[18.4] Clear detached partitions before tests run</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206915">Backport 'Fixes target projects endpoint 404 on compare revisions view'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206962">Transfer start and due dates data upon work item move or clone</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207052">Backport of 'Fix reassignment dropdown in CE'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206778">Transfer health status data upon work item move or clone</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206999">Backport of Revert "Merge branch 'ai-catalog-item-consumers-graphql' into 'master'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206860">Backport of CI_MERGE_REQUEST_DIFF_BASE_SHA not updating on branch change</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206979">Backport of "Use key-value structure in Release Environment MR label script"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206163">Backport of 'Fix Start free trial link for self-managed instances'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207013">Update dependency gitlab-fog-azure-rm to '~> 2.4.0'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207283">Backport of 'Remove non Saas instances from calling CDOT for trial duration'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206520">Backport of 'Remove check_f02a3f53bf not null constraint'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207685">18.4 backport of 'Remove unknown licenses from sbom dependency list export'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207445">[18.4] Fix json validation for elasticsearch_aws_role_arn</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207245">Backport: Change the model selection FF used for self managed</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207794">[18.4] Prevent session creation for sessionless users</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8741">Add a gitlab::config alias for package::config recipe</a></li>
</ul>
<h3 id="1834">18.3.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206060">Workhorse: Improve large HTTP handling for DWS proxy</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206834">[18.3] Clear detached partitions before tests run</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206918">Backport 'Fixes target projects endpoint 404 on compare revisions view'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206961">Transfer start and due dates data upon work item move or clone</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207053">Backport of 'Fix reassignment dropdown in CE'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206776">Transfer health status data upon work item move or clone</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206980">Backport of "Use key-value structure in Release Environment MR label script"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207014">Update dependency gitlab-fog-azure-rm to '~> 2.4.0'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207288">Backport of 'Remove non Saas instances from calling CDOT for trial duration'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207687">18.3 backport of 'Remove unknown licenses from sbom dependency list export'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8755">Update docs hugo jobs' image to use latest image</a></li>
</ul>
<h3 id="1828">18.2.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205903">[18.2] Allow elastic client adapter to be set</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206835">[18.2] Clear detached partitions before tests run</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206958">Transfer start and due dates data upon work item move or clone</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207054">Backport of 'Fix reassignment dropdown in CE'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206775">Transfer health status data upon work item move or clone</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206981">Backport of "Use key-value structure in Release Environment MR label script"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207015">Update dependency gitlab-fog-azure-rm to '~> 2.4.0'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207448">[18.2] Fix json validation for elasticsearch_aws_role_arn</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/207688">18.2 backport of 'Remove unknown licenses from sbom dependency list export'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206928">Backport of 'Fix Start free trial link for self-managed instances'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8754">Update docs hugo jobs' image to use latest image</a></li>
</ul>
<h2 id="important-notes-on-upgrading">Important notes on upgrading</h2>
<p>This patch includes database migrations that may impact your upgrade process.</p>
<h3 id="impact-on-your-installation">Impact on your installation:</h3>
<ul>
<li><strong>Single-node instances</strong>: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.</li>
<li><strong>Multi-node instances</strong>: With proper <a href="https://docs.gitlab.com/ee/update/zero_downtime.html">zero-downtime upgrade procedures</a>, this patch can be applied without downtime.</li>
</ul>
<h3 id="post-deploy-migrations">Post-deploy migrations</h3>
<p>The following versions include post-deploy migrations that can run after the upgrade:</p>
<ul>
<li>18.4.2</li>
</ul>
<p>To learn more about the impact of upgrades on your installation, see:</p>
<ul>
<li><a href="https://docs.gitlab.com/ee/update/zero_downtime.html">Zero-downtime upgrades</a> for multi-node deployments</li>
<li><a href="https://docs.gitlab.com/update/package/#downtime">Standard upgrades</a> for single-node installations</li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7https://about.gitlab.com/releases/2025/09/25/patch-release-gitlab-18-4-1-released/2025-09-25T00:00:00+00:002025-09-25T00:00:00+00:00Costel Maxim<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. To maintain good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-9642---cross-site-scripting-issue-impacts-gitlab-ceee">Cross-site scripting issue impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-10858---denial-of-service-issue-when-uploading-specifically-crafted-json-files-impacts-gitlab-ceee">Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-8014---denial-of-service-issue-bypassing-query-complexity-limits-impacts-gitlab-ceee">Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-9958---information-disclosure-issue-in-virtual-registry-configuration-for-low-privileged-users-impacts-gitlab-ceee">Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-7691---privilege-escalation-issue-from-within-the-developer-role-impacts-gitlab-ee">Privilege Escalation issue from within the Developer role impacts GitLab EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-11042---denial-of-service-issue-in-graphql-api-via-unbounded-array-parameters-impacts-gitlab-ceee">Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-10871---improper-authorization-issue-for-project-maintainers-when-assigning-roles-impacts-gitlab-ee">Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#cve-2025-10867---denial-of-service-issue-in-graphql-api-blobsearch-impacts-gitlab-ceee">Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#cve-2025-5069---incorrect-ownership-assignment-via-move-issue-drop-down-impacts-gitlab-ceee">Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#cve-2025-10868---denial-of-service-issue-via-string-conversion-methods-impacts-gitlab-ceee">Denial of Service issue via string conversion methods impacts GitLab CE/EE</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-9642---cross-site-scripting-issue-in-script-gadgets-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-9642">CVE-2025-9642</a> - Cross-site scripting issue in Script Gadgets impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed an unauthenticated user to execute actions on behalf of other users by injecting malicious content.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1.<br />
<strong>CVSS</strong>: 8.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a></p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-10858---denial-of-service-issue-when-uploading-specifically-crafted-json-files-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-10858">CVE-2025-10858</a> - Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an unauthenticated user to render a GitLab instance unresponsive to legitimate users by sending specifically crafted JSON files.</p>
<p><strong>Impacted versions:</strong> GitLab CE/EE: all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1<br />
<strong>CVSS:</strong> 7.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<h3 id="cve-2025-8014---denial-of-service-issue-bypassing-query-complexity-limits-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-8014">CVE-2025-8014</a> - Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an unauthenticated user to bypass query complexity limits leading to a Denial of Service condition.</p>
<p><strong>Impacted versions:</strong> Gitlab EE/CE all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1<br />
<strong>CVSS:</strong> 7.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/foxribeye">foxribeye</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-9958---information-disclosure-issue-in-virtual-registry-configuration-for-low-privileged-users-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-9958">CVE-2025-9958</a> - Information disclosure issue in virtual registry configuration for low privileged users impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed low privileged users access to sensitive information stored in virtual registry configurations.</p>
<p><strong>Impacted versions:</strong> GitLab CE/EE all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1<br />
<strong>CVSS:</strong> 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-7691---privilege-escalation-issue-from-within-the-developer-role-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-7691">CVE-2025-7691</a> - Privilege Escalation issue from within the Developer role impacts GitLab EE</h3>
<p>GitLab has remediated an issue that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities.</p>
<p><strong>Impacted versions:</strong> GitLab EE all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1<br />
<strong>CVSS:</strong> 6.5 <a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/rogerace">rogerace</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-11042---denial-of-service-issue-in-graphql-api-via-unbounded-array-parameters-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-11042">CVE-2025-11042</a> - Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user to cause uncontrolled CPU consumption, potentially leading to a Denial of Service condition while using specific GraphQL queries.</p>
<p><strong>Impacted versions:</strong> GitLab CE/EE all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1<br />
<strong>CVSS:</strong> 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>)</p>
<p>We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/afrnz">Alisa Frunza</a>.</p>
<h3 id="cve-2025-10871---improper-authorization-issue-for-project-maintainers-when-assigning-roles-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-10871">CVE-2025-10871</a> - Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE</h3>
<p>GitLab has remediated an issue that could allow Project Maintainers improper authorization to assign custom roles to users exceeding the Project Maintainer's security boundary and achieving elevated privileges.</p>
<p><strong>Impacted versions:</strong> GitLab EE all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1<br />
<strong>CVSS:</strong> 3.8 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L</code></a>)</p>
<p>This vulnerability was discovered internally by a GitLab team member, <a href="https://gitlab.com/dlrussel">Diane Russel</a>.</p>
<h3 id="cve-2025-10867---denial-of-service-issue-in-graphql-api-blobsearch-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-10867">CVE-2025-10867</a> - Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user to create a Denial of Service condition by exploiting an unprotected GraphQL API through repeated requests.</p>
<p><strong>Impacted versions:</strong> GitLab CE/EE all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1<br />
<strong>CVSS:</strong> 3.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</code></a>)</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/terrichu">Terri Chu</a></p>
<h3 id="cve-2025-5069---incorrect-ownership-assignment-via-move-issue-drop-down-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-5069">CVE-2025-5069</a> - Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name, potentially having users transfer sensitive information to the incorrect project.</p>
<p><strong>Impacted versions:</strong> GitLab CE/EE all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1<br />
<strong>CVSS:</strong> 3.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/foxribeye">foxribeye</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-10868---denial-of-service-issue-via-string-conversion-methods-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-10868">CVE-2025-10868</a> - Denial of Service issue via string conversion methods impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user to cause performance degradation, potentially leading to a Denial of Service condition with certain string conversion methods.</p>
<p><strong>Impacted versions:</strong> GitLab CE/EE all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1<br />
<strong>CVSS:</strong> 3.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</code></a>)</p>
<h3 id="postgresql-security-updates">postgreSQL security updates</h3>
<p><code>postgreSQL</code> has been updated to version 16.10 which contains fixes for security vulnerabilities including CVE-2025-8713, CVE-2025-8714 and CVE-2025-8715</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1841">18.4.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205266">Backport of Update the admin user for GET Release Environment QA tests</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205496">[18.4] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205374">Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.4)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205365">Backport of 'Prevent deleting group/project when ancestor is marked for deletion at the service level'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205608">18.4: Backport of 'Fix error when applying scanner suggestion'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205622">Backport of Ensure proper MCP URL OAuth Discovery for API/V4/MCP</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205735">Fix database state leak across specs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205663">Optimize HandleMalformedStrings middleware for CPU and memory</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205750">Backport protected branches dropdown copy fix to 18.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205876">[18.4] Fix flaky parallel design management uploads spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205807">Backport of (Fix FetchModelDefinitionsService) !205687</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206018">Backport: Add documentation on how to add DUO_WORKFLOW_SELF_SIGNED_JWT__SIGNING_KEY for DAP installations</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206004">Backport of 'Geo: fix <code>ActiveRecord::StatementInvalid: PG::UndefinedColumn</code> when querying reverification count'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205854">Backport of Return success when status update target already matches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205899">[18.4] Allow elastic client adapter to be set</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206199">Backport of Use isUnsafeLink for xcode protocol</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206229">Ensure assets get recompiled if cached-assets-hash.txt is empty</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206147">18.4 Backport of 'Resolve "Dependency list export with API silently fails license validation"'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8733">CI: Make Ubuntu 22.04 FIPS check EE-only (Backport)</a></li>
</ul>
<h3 id="1833">18.3.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203969">Backport 'Bump default ruby version to 3.2.9'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204752">Backport of "Use release-environment project id instead of canonical"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204767">Backport of 'Danger to not warn in maintained stable branches' to 18.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204681">Backport of "Upgrade duo workflow client protocol version"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204568">Backport of "Filter out duplicate values from the variable options dropdown"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204897">18.3: Backport of 'Fix security widget polling indefinitely when there are sboms'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204902">[18.3 backport] Remove CVE-2025-8714 commands from structure.sql</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204635">Backport 18.3: Do not trim deployment filename in geo secondary</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204370">[Backport-18.3]Wiki search throws 500 error for some wiki content</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204361">[18.3] Fix search admin page error when ES server returns forbidden</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205149">Backport of "Hide secrets manager settings behind feature flag instead of just the license" to 18.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205265">Backport of Update the admin user for GET Release Environment QA tests</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205498">[18.3] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205372">Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.3)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205541">[Backport 18-3] Skip secret push protection for as-if-foss pipeline</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205610">18.3: Backport of 'Fix error when applying scanner suggestion'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205625">Backport of Ensure proper MCP URL OAuth Discovery for API/V4/MCP</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205731">Optimize HandleMalformedStrings middleware for CPU and memory</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205700">Backport to 18.3 of Add job project claims to CI ID Tokens</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205849">Backport of Return success when status update target already matches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205877">[18.3] Fix flaky parallel design management uploads spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206171">Backport 'Fix branches autocomplete paths in the merge request list app' to 18-3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206173">Backport 'Fix Linked file not being on top of the list' to 18-3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205902">[18.3] Allow elastic client adapter to be set</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206204">Backport of Use isUnsafeLink for xcode protocol</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/206144">18.3 Backport of 'Resolve "Dependency list export with API silently fails license validation"'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8699">Backport: Fix registry matadata database password creation</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8720">Fall back to c_rehash if there are multiple TLS certificates</a></li>
</ul>
<h3 id="1827">18.2.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204431">Backport of diff comment suggestions line range fix</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204362">[18.2] Fix search admin page error when ES server returns forbidden</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204372">[Backport 18.2] Wiki search throws 500 error for some wiki content</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204768">Backport of 'Danger to not warn in maintained stable branches' to 18.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204636">Backport 18.2: Do not trim deployment filename in geo secondary</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204785">Backport of "Use release-environment project id instead of canonical"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204900">18.2: Backport of 'Fix security widget polling indefinitely when there are sboms'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205264">Backport of Update the admin user for GET Release Environment QA tests</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205542">[Backport 18-2] Skip secret push protection for as-if-foss pipeline</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205370">Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.2)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205612">18.2: Backport of 'Fix error when applying scanner suggestion'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205733">Optimize HandleMalformedStrings middleware for CPU and memory</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205705">Backport to 18.2 of Add job project claims to CI ID Tokens</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205500">[18.2] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205879">[18.2] Fix flaky parallel design management uploads spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8721">Fall back to c_rehash if there are multiple TLS certificates</a></li>
</ul>
<h2 id="important-notes-on-upgrading">Important notes on upgrading</h2>
<p>These versions do not include any new migrations, and for multi-node deployments, <a href="https://docs.gitlab.com/ee/update/#upgrading-without-downtime">should not require any downtime</a>.</p>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="https://docs.gitlab.com/ee/update/zero_downtime.html"><code>/etc/gitlab/skip-auto-reconfigure</code></a> file,
which is only used for <a href="https://docs.gitlab.com/omnibus/update/README.html">updates</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.3.2, 18.2.6, 18.1.6https://about.gitlab.com/releases/2025/09/10/patch-release-gitlab-18-3-2-released/2025-09-10T00:00:00+00:002025-09-10T00:00:00+00:00Kat Wu<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.3.2, 18.2.6, 18.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. To maintain good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-2256---denial-of-service-issue-in-saml-responses-impacts-gitlab-ceee">Denial of Service issue in SAML Responses impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-6454---server-side-request-forgery-issue-in-webhook-custom-header-impacts-gitlab-ceee">Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-1250---denial-of-service-issue-in-user-controllable-fields-impacts-gitlab-ceee">Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-7337---denial-of-service-issue-in-endpoint-file-upload-impacts-gitlab-ceee">Denial of Service issue in endpoint file upload impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-10094---denial-of-service-issue-in-token-listing-operations-impacts-gitlab-ceee">Denial of Service issue in token listing operations impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-6769---information-disclosure-issue-in-runner-endpoints-impacts-gitlab-ceee">Information disclosure issue in runner endpoints impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-2256---denial-of-service-issue-in-saml-responses-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-2256">CVE-2025-2256</a> - Denial of Service issue in SAML Responses impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed unauthorized users to render the GitLab instance unresponsive to legitimate users by sending multiple concurrent large SAML responses.</p>
<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 <br />
<strong>CVSS</strong> 7.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/yuki_osaki">yuki_osaki</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-6454---server-side-request-forgery-issue-in-webhook-custom-header-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-6454">CVE-2025-6454</a> - Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences.</p>
<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 <br />
<strong>CVSS</strong> 8.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/ppee">ppee</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-1250---denial-of-service-issue-in-user-controllable-fields-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-1250">CVE-2025-1250</a> - Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user to stall background job processing by sending specially crafted commit messages, merge request descriptions, or notes.</p>
<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 15.0 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 <br />
<strong>CVSS:</strong> 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-7337---denial-of-service-issue-in-endpoint-file-upload-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-7337">CVE-2025-7337</a> - Denial of Service issue in endpoint file upload impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user with Developer-level access to cause a persistent denial of service affecting all users on a GitLab instance by uploading large files.</p>
<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 <br />
<strong>CVSS:</strong> 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-10094---denial-of-service-issue-in-token-listing-operations-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-10094">CVE-2025-10094</a> - Denial of Service issue in token listing operations impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users to disrupt access to token listings and related administrative operations by creating tokens with excessively large names.</p>
<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 10.7 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 <br />
<strong>CVSS:</strong> 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-6769---information-disclosure-issue-in-runner-endpoints-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-6769">CVE-2025-6769</a> - Information disclosure issue in runner endpoints impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users to view administrator-only maintenance notes by accessing runner details through specific interfaces.</p>
<p><strong>Impacted Versions:</strong> GitLab CE/EE: all versions from 15.1 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 <br />
<strong>CVSS:</strong> 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/iamgk808">iamgk808</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1832">18.3.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202271">Backport of 'Ignore silent_mode in clickhouse http calls'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202828">Backport of 'Update gitlab-shell to v14.45.0'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201943">Revert "Merge branch 'marina.mosti-543725-reviewer-dropdown-ce' into 'master'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203071">Backport of "Only create ToC for headings with links"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202992">Backport of fix webauthn authentication in Firefox - 18.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202953">Backport of move delayed deletion cronjob settings to CE</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203308">Backport 'Disable gdk-update job in stable branch pipelines'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203290">Backport update to gitlab-sshd to relax allowed algorithms for FIPS</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202829">Backport of 'Display MCP settings for root groups only'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202994">Backport of 'Fix shared group access for advanced code search'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203413">Backport: Fix nil error in Gitlab:Auth:IpRateLimiter</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203676">Backport 'Add Compare link to submodule diffs' to 18.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203422">Backport of "Revert 'New projects don't automatically inherit from group-level'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203718">Backport of "Fix syncing remote stored Blobs with filenames with plus sign"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203722">Backport of 'Make FileLocationType.endLine nullable' for 18.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203538">Backport of Update csp_enabled? to always return a boolean value</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203686">Backport of Fix LdapAllAddOnSeatSyncWorker removing seats when no groups configured</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203966">Backport 'Revert gem caching only in specific pipelines'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203933">Update gitlab-shell to v14.45.2 to allow ED25519 for FIPS</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204239">[18.3] Remove flaky spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203954">Backport of diff comment suggestions line range fix</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8714">Adds checksum for ruby 3.2.9</a></li>
</ul>
<h3 id="1826">18.2.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202827">Update gitlab-shell to v14.45.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203072">Backport of "Only create ToC for headings with links"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203288">Backport update to gitlab-sshd to relax allowed algorithms for FIPS</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203309">Backport 'Disable gdk-update job in stable branch pipelines'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202995">Backport of 'Fix shared group access for advanced code search'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203525">Backport of 'Fix Bitbucket Server Importer enqueued job count'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203587">Backport of 'Fix: Geo::ModelMapper flakiness'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203675">Backport 'Add Compare link to submodule diffs' to 18.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203724">Backport of 'Make FileLocationType.endLine nullable' for 18.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203539">Backport of Update csp_enabled? to always return a boolean value</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203720">Backport of "Fix syncing remote stored Blobs with filenames with plus sign"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203932">Update gitlab-shell to v14.45.2 to allow ED25519 for FIPS</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/204241">[18.2] Remove flaky spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8664">Backport 18-2: Fix spec tag name source</a></li>
</ul>
<h3 id="1816">18.1.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202675">Backport of 'Fix cannot load such file – gitlab'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203530">Backport of Fix 'Bitbucket Server Importer enqueued job count'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203726">Backport of 'Make FileLocationType.endLine nullable' for 18.1</a></li>
</ul>
<h2 id="important-notes-on-upgrading">Important notes on upgrading</h2>
<p>These versions do not include any new migrations, and for multi-node deployments, <a href="https://docs.gitlab.com/ee/update/#upgrading-without-downtime">should not require any downtime</a>.</p>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="https://docs.gitlab.com/ee/update/zero_downtime.html"><code>/etc/gitlab/skip-auto-reconfigure</code></a> file,
which is only used for <a href="https://docs.gitlab.com/omnibus/update/README.html">updates</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.3.1, 18.2.5, 18.1.5https://about.gitlab.com/releases/2025/08/27/patch-release-gitlab-18-3-1-released/2025-08-27T00:00:00+00:002025-08-27T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.3.1, 18.2.5, 18.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. To maintain good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-3601---allocation-of-resources-without-limits-issue-in-import-function-impacts-gitlab-ceee">Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-2246---missing-authentication-issue-in-graphql-endpoint-impacts-gitlab-ceee">Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-4225---allocation-of-resources-without-limits-issue-in-graphql-impacts-gitlab-ceee">Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-5101---code-injection-issue-in-gitlab-repositories-impacts-gitlab-ceee">Code injection issue in GitLab repositories impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-3601---allocation-of-resources-without-limits-issue-in-import-function-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-3601">CVE-2025-3601</a> - Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessively large responses. <br /></p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 <br />
<strong>CVSS</strong>: 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/nermalt">nermalt</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-2246---missing-authentication-issue-in-graphql-endpoint-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-2246">CVE-2025-2246</a> - Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API. <br /></p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 <br />
<strong>CVSS</strong>: 5.8 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-4225---allocation-of-resources-without-limits-issue-in-graphql-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-4225">CVE-2025-4225</a> - Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by sending specially crafted GraphQL requests. <br /></p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 <br />
<strong>CVSS</strong>: 5.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-5101---code-injection-issue-in-gitlab-repositories-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-5101">CVE-2025-5101</a> - Code injection issue in GitLab repositories impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports. <br /></p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 <br />
<strong>CVSS</strong>: 5.0 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N"><code>CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N</code></a>).</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1831">18.3.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2626">[Backport 18.3] Making changes for container scanning for SBOMs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202294">Backport of 'Fix cannot load such file – gitlab'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202065">Backport: Fix namespace issue preventing Ci::Build filtering optimization</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202363">Backport of "Dependency Path creation with path caching"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202656">Fix trusted proxies regression when hostname is specified</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202706">Backport of E2E test: use correct checkbox method</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8677">Update Mattermost to v10.10.2</a></li>
</ul>
<h3 id="1825">18.2.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2627">[Backport 18.2] Making changes for container scanning for SBOMs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201853">[18.2] Fix flaky specs due to label ordering</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201990">Backport 'Danger to fail backport MRs without descriptive title'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201270">Backport bug - Fix mutations of frozen object in feature_setting.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201937">Add stage check for agentic chat</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202418">Backport of 'update the active_add_on_purchase check to include self-managed check'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202564">Backport of "Create noop pipeline template compatible with test-on-omnibus"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202673">Backport of 'Fix cannot load such file – gitlab'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202705">Backport of E2E test: use correct checkbox method</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202570">Backport of 'Ignore silent_mode in clickhouse http calls'</a></li>
</ul>
<h3 id="1815">18.1.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201046">Backport "Danger to not error when e2e:test-on-omnibus-ee job not present for only QA changes" to 18.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196606">Backport Set :throttled urgency for GlobalAdvisoryScanWorker</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201245">Backport 'Add job and script to update backport MR label after deployment'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201425">Backport 'Update gitlab-chart digest to 9d9e150'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201655">Backport of 'fix missing ref attribute'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201854">[18.1] Fix flaky specs due to label ordering</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201992">Backport 'Danger to fail backport MRs without descriptive title'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202419">Backport of 'update the active_add_on_purchase check to include self-managed check'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202540">Backport of E2E test: use correct checkbox method</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/202565">Backport of "Create noop pipeline template compatible with test-on-omnibus"</a></li>
</ul>
<h2 id="important-notes-on-upgrading">Important notes on upgrading</h2>
<p>These versions do not include any new migrations, and for multi-node deployments, <a href="https://docs.gitlab.com/ee/update/#upgrading-without-downtime">should not require any downtime</a>.</p>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="https://docs.gitlab.com/ee/update/zero_downtime.html"><code>/etc/gitlab/skip-auto-reconfigure</code></a> file,
which is only used for <a href="https://docs.gitlab.com/omnibus/update/README.html">updates</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.2.2, 18.1.4, 18.0.6https://about.gitlab.com/releases/2025/08/13/patch-release-gitlab-18-2-2-released/2025-08-13T00:00:00+00:002025-08-13T00:00:00+00:00Nikhil George<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.2.2, 18.1.4, 18.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. To maintain good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-7734---cross-site-scripting-issue-in-blob-viewer-impacts-gitlab-ceee">Cross-site scripting issue in blob viewer impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-7739---cross-site-scripting-issue-in-labels-impacts-gitlab-ceee">Cross-site scripting issue in labels impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-6186---cross-site-scripting-issue-in-workitem-impacts-gitlab-ceee">Cross-site scripting issue in Workitem impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-8094---improper-handling-of-permissions-issue-in-project-api-impacts-gitlab-ceee">Improper Handling of Permissions issue in project API impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2024-12303---incorrect-privilege-assignment-issue-in-delete-issues-operation-impacts-gitlab-ceee">Incorrect Privilege Assignment issue in delete issues operation impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-2614---allocation-of-resources-without-limits-issue-in-release-name-creation-impacts-gitlab-ceee">Allocation of Resources Without Limits issue in release name creation impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2024-10219---incorrect-authorization-issue-in-jobs-api-impacts-gitlab-ceee">Incorrect Authorization issue in jobs API impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-8770---authorization-issue-in-merge-request-approval-policy-impacts-gitlab-ee">Authorization issue in Merge request approval policy impacts GitLab EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-2937---inefficient-regular-expression-complexity-issue-in-wiki-impacts-gitlab-ceee">Inefficient Regular Expression Complexity issue in wiki impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-1477---allocation-of-resources-without-limits-issue-in-mattermost-integration-impacts-gitlab-ceee">Allocation of Resources Without Limits issue in Mattermost integration impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-5819---incorrect-permission-assignment-issue-in-id-token-impacts-gitlab-ceee">Incorrect Permission Assignment issue in ID token impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-2498---insufficient-access-control-issue-in-ip-restriction-impacts-gitlab-ee">Insufficient Access Control issue in IP Restriction impacts GitLab EE</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-7734---cross-site-scripting-issue-in-blob-viewer-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-7734">CVE-2025-7734</a> - Cross-site scripting issue in blob viewer impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 8.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-7739---cross-site-scripting-issue-in-labels-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-7739">CVE-2025-7739</a> - Cross-site scripting issue in labels impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 8.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-6186---cross-site-scripting-issue-in-workitem-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-6186">CVE-2025-6186</a> - Cross-site scripting issue in Workitem impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 8.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-8094---improper-handling-of-permissions-issue-in-project-api-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-8094">CVE-2025-8094</a> - Improper Handling of Permissions issue in project API impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that under certain conditions could have allowed authenticated users with maintainer privileges to cause denial of service to other users' CI/CD pipelines by manipulating shared infrastructure resources beyond their intended access level.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions 18.0 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 7.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/abdelrahman_maged">abdelrahman_maged</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2024-12303---incorrect-privilege-assignment-issue-in-delete-issues-operation-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2024-12303">CVE-2024-12303</a> - Incorrect Privilege Assignment issue in delete issues operation impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential ones by inviting users with a specific role.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 6.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/yuki_osaki">yuki_osaki</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-2614---allocation-of-resources-without-limits-issue-in-release-name-creation-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-2614">CVE-2025-2614</a> - Allocation of Resources Without Limits issue in release name creation impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessive server resources when processed.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2024-10219---incorrect-authorization-issue-in-jobs-api-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2024-10219">CVE-2024-10219</a> - Incorrect Authorization issue in jobs API impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/albatraoz">albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-8770---authorization-issue-in-merge-request-approval-policy-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-8770">CVE-2025-8770</a> - Authorization issue in Merge request approval policy impacts GitLab EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users with specific access to bypass merge request approval policies by manipulating approval rule identifiers.</p>
<p><strong>Impacted Versions</strong>: GitLab EE: all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 <br />
<strong>CVSS</strong>: 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code></a>)</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/bauerdominic">Dominic Bauer</a>.</p>
<h3 id="cve-2025-2937---inefficient-regular-expression-complexity-issue-in-wiki-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-2937">CVE-2025-2937</a> - Inefficient Regular Expression Complexity issue in wiki impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/yuki_osaki">yuki_osaki</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-1477---allocation-of-resources-without-limits-issue-in-mattermost-integration-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-1477">CVE-2025-1477</a> - Allocation of Resources Without Limits issue in Mattermost integration impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integration API endpoints.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 <br />
<strong>CVSS</strong>: 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-5819---incorrect-permission-assignment-issue-in-id-token-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-5819">CVE-2025-5819</a> - Incorrect Permission Assignment issue in ID token impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 15.7 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 <br />
<strong>CVSS</strong>: 5.0 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/skybound">skybound</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-2498---insufficient-access-control-issue-in-ip-restriction-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-2498">CVE-2025-2498</a> - Insufficient Access Control issue in IP Restriction impacts GitLab EE</h3>
<p>GitLab has remediated an issue that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.</p>
<p><strong>Impacted Versions</strong>: GitLab EE: all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 <br />
<strong>CVSS</strong>: 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/rogerace">rogerace</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1822">18.2.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198502">[backport] bug: Fixed double message bug</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198679">Backport of 'Remove full instance test suite execution from omnibus pipeline'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198865">Backport 'Replace test-on-gdk with test-on-cng in backport mr pipelines'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198939">[18.2] Fix hardcoded GitLab version in spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198867">Backport of 'Exclude release environments from QA live envs'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198440">[18.2 backport] Fix flaky epic deletion specs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198970">[Backport 18.2] Add pause_control to Elastic delete workers</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199095">Backport of Skip Geo secondary for SyncProjectPolicyWorker</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198965">Backport of "Add outbound allowlist to allowed endpoints for SSRF filter"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199295">Backport of Revert "Remove FF for SSRF protection for dependency proxy"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199514">Backport of 'New projects inherit parent value for duo_features_enabled'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199556">Backport of 'Add missing elasticsearch_indexing checks to workers'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199665">[18.2] Fix flaky work item spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199462">[backport] of Fix: include relative URL root in PDF worker and cMap paths</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200120">Ensure <code>docs hugo_build</code> CI job uses docs-gitlab-com stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200005">Backport of 'Fix: validation errors for Duo settings when creating project'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200300">Backport quarantine broken user signups cap alert test</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200160">Backport ruby gem caching improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200266">Fix another case where Sidekiq can take too long to shut down</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200056">Backport of 'Filter out NULL values'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200371">Backport 'Decouple node-modules caching from any specific branch'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199911">Backport of 'Simplify db:check-schema CI job'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200448">backport fix to use right primary key for ci_job_artifact_states</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200501">[Backport 18.2] Fix shared group access in advanced search code scope</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200708">Backport 'Danger to allow backport of maintenance type changes' to 18-2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200630">backport: Fix Web IDE loading race condition</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200583">Backport of Fix numpad enter not working for revision compare dropdown</a></li>
<li></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200598">Backport fix case insensitivity in codeowners</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200942">[18.2] Fix flaky note scope spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201018">Backport 556582-link-to-project-not-working-when-gitlab-hosted-in-subpath-after-upgrade-to-18-2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200485">Backport fix: Detect CORS problems in Web IDE</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201045">Backport "Danger to not error when e2e:test-on-omnibus-ee job not present for only QA changes" to 18.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200626">Backport "Use projectRootPath to compose breadcrumb links"</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8597">Backport of 'Use CI_COMMIT_TAG to check on_tag?'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8619">Fix deprecation check failing on nil values</a></li>
</ul>
<h3 id="1814">18.1.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198678">Backport of 'Remove full instance test suite execution from omnibus pipeline'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198869">Backport 'Replace test-on-gdk with test-on-cng in backport mr pipelines'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198441">[18.1 backport] Fix flaky epic deletion specs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199082">Backport of 'Exclude release environments from QA live envs'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199094">Backport of Skip Geo secondary for SyncProjectPolicyWorker</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198971">[Backport 18.1] Add pause_control to Elastic delete workers</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199294">Backport of Revert "Remove FF for SSRF protection for dependency proxy"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199460">Backport of "Update VERSION file for 18.1.3-internal0"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199557">Backport of 'Add missing elasticsearch_indexing checks to workers'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199709">[18.1] Fix flaky work item spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199465">[backport] of Fix: include relative URL root in PDF worker and cMap paths</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200052">Backport of "Add repair index tool", Backport of "Filter out NULL values", Backport of "Add documentation for IndexRepair task"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200119">Ensure <code>docs hugo_build</code> CI job uses docs-gitlab-com stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200161">Backport ruby gem caching improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200267">Fix another case where Sidekiq can take too long to shut down</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199912">Backport of 'Simplify db:check-schema CI job'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200443">Backport 'Decouple node-modules caching from any specific branch'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200449">backport fix to use right primary key for ci_job_artifact_states</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200586">Backport of Fix numpad enter not working for revision compare dropdown</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200710">Backport 'Danger to allow backport of maintenance type changes' to 18-1</a></li>
<li></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200628">Backport "Use projectRootPath to compose breadcrumb links"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200613">Backport fix case insensitivity in codeowners</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8598">Backport of 'Use CI_COMMIT_TAG to check on_tag?'</a></li>
</ul>
<h3 id="1806">18.0.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198442">[18.0 backport] Fix flaky epic deletion specs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199084">Backport of 'Exclude release environments from QA live envs'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199135">Backport of 'Run QA on GET release environment'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198973">[Backport 18.0] Add pause_control to Elastic delete workers</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199711">[18.0] Fix flaky work item spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200261">Ensure <code>docs hugo_build</code> CI job uses docs-gitlab-com stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200268">Fix another case where Sidekiq can take too long to shut down</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200048">Backport of "Add repair index tool", Backport of "Filter out NULL values", Backport of "Add documentation for IndexRepair task"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199913">Backport of 'Simplify db:check-schema CI job'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197809">[backport] 'tbulva-zoekt-url-reset' into 18.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200450">backport fix to use right primary key for ci_job_artifact_states</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200298">Backport ruby gem caching improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200711">Backport 'Danger to allow backport of maintenance type changes' to 18-0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200646">Backport[18.0] Removing check for project and framework for self managed instances</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200761">Backport 'Decouple node-modules caching from any specific branch'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/200636">Backport fix case insensitivity in codeowners</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8599">Backport of 'Use CI_COMMIT_TAG to check on_tag?'</a></li>
</ul>
<h2 id="important-notes-on-upgrading">Important notes on upgrading</h2>
<p>This patch includes database migrations that may impact your upgrade process.</p>
<h3 id="impact-on-your-installation">Impact on your installation:</h3>
<ul>
<li><strong>Single-node instances</strong>: This patch will cause downtime during the upgrade as migrations must complete before GitLab can start.</li>
<li><strong>Multi-node instances</strong>: With proper <a href="https://docs.gitlab.com/ee/update/zero_downtime.html">zero-downtime upgrade procedures</a>, this patch can be applied without downtime.</li>
</ul>
<h3 id="regular-migrations">Regular migrations</h3>
<p>The following versions include regular migrations that run during the upgrade process:</p>
<ul>
<li>18.2.2</li>
<li>18.1.4</li>
<li>18.0.6
<h3 id="post-deploy-migrations">Post-deploy migrations</h3>
</li>
</ul>
<p>The following versions include post-deploy migrations that can run after the upgrade:</p>
<ul>
<li>18.2.2</li>
<li>18.1.4</li>
<li>18.0.6</li>
</ul>
<p>To learn more about the impact of upgrades on your installation, see:</p>
<ul>
<li><a href="https://docs.gitlab.com/ee/update/zero_downtime.html">Zero-downtime upgrades</a> for multi-node deployments</li>
<li><a href="https://docs.gitlab.com/update/package/#downtime">Standard upgrades</a> for single-node installations</li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.2.1, 18.1.3, 18.0.5https://about.gitlab.com/releases/2025/07/23/patch-release-gitlab-18-2-1-released/2025-07-23T00:00:00+00:002025-07-23T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.2.1, 18.1.3, 18.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. To maintain good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-4700---cross-site-scripting-issue-impacts-kubernetes-proxy-in-gitlab-ceee">Cross-site scripting (XSS) impacts k8s proxy in GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-4439---cross-site-scripting-issue-impacts-kubernetes-proxy-in-gitlab-ceee-using-cdns">Cross-site scripting (XSS) impacts k8s proxy in GitLab CE/EE using CDNs</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-7001---exposure-of-sensitive-information-to-an-unauthorized-actor-issue-impacts-gitlab-ceee-using-cdns">Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-4976---improper-access-control-issue-impacts-gitlab-ee">Improper Access Control issue impacts GitLab EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-0765---exposure-of-sensitive-information-to-an-unauthorized-actor-issue-impacts-gitlab-ceee">Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-1299---improper-access-control-issue-impacts-gitlab-ceee">Improper Access Control issue impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-4700---cross-site-scripting-issue-impacts-kubernetes-proxy-in-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-4700">CVE-2025-4700</a> - Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE</h3>
<p>GitLab has remediated an issue affecting a Kubernetes proxy feature that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1. <br />
<strong>CVSS</strong>: 8.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-4439---cross-site-scripting-issue-impacts-kubernetes-proxy-in-gitlab-ceee-using-cdns"><a href="https://www.cve.org/CVERecord?id=CVE-2025-4439">CVE-2025-4439</a> - Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE using CDNs</h3>
<p>GitLab has remediated an issue that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1. <br />
<strong>CVSS</strong>: 7.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-7001---exposure-of-sensitive-information-to-an-unauthorized-actor-issue-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-7001">CVE-2025-7001</a> - Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed privileged users to access certain <code>resource_group</code> information through the API which should have been unavailable.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1. <br />
<strong>CVSS</strong>: 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/iamgk808">iamgk808</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-4976---improper-access-control-issue-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-4976">CVE-2025-4976</a> - Improper Access Control issue impacts GitLab EE</h3>
<p>GitLab has remediated an issue that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.</p>
<p><strong>Impacted Versions</strong>: GitLab EE: all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1. <br />
<strong>CVSS</strong>: 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/rogerace">rogerace</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-0765---exposure-of-sensitive-information-to-an-unauthorized-actor-issue-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-0765">CVE-2025-0765</a> - Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed an unauthorized user to access custom service desk email addresses.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1. <br />
<strong>CVSS</strong>: 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/iamgk808">iamgk808</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-1299---improper-access-control-issue-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-1299">CVE-2025-1299</a> - Improper Access Control issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1. <br />
<strong>CVSS</strong>: 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1821">18.2.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2530">Fix double-path issue for COM_REGISTRY</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198503">Update VERSION files</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198464">Backport of '[Agentic Chat] Do not response to NewCheckpoint message'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198481">Backport of Delete the search_refactor_membership_filter feature flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198465">Backport of 'Fix S3 compatibility in Workhorse uploads for non-AWS S3 providers'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198504">[Backport] Allow users to resume/continue previous chat sessions in Agentic Chat instead of forcing new chat creation.</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198517">Send workflow metadata for Agentic Chat</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198424">Backport of Fix Github Import E2E</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198595">Backport fix for Workhorse race test: ignore EOF error for Duo Workflow send stream</a></li>
</ul>
<h3 id="1813">18.1.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197029">Merge branch 'jk/cache-assets-security-mirror' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196999">[backport] 'tbulva-zoekt-url-reset' into '18.1'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197168">Revert "Merge branch 'cherry-pick-54ec1758' into '18-1-stable-ee'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197184">Merge branch 'dattang/pass-omnibus-package-to-release-environment-pipeline' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197285">Merge branch 'dattang/run-qa-on-get-release-environment' into '18-1-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197027">[backport] Add check for allowlist when configuring Elasticsearch URL</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197355">Backport of "Backport of 'Disable directory_code_dropdown_updates flag'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197829">Revert "Enable assets caching on security stable branches"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197648">Backport of 'Fixed branches loading on group merge request list'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198177">Backport of <code>Trigger webhook events on vulnerability dismissal</code></a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8554">Backport GitLab Exporter 15.6.0 to 18.1.x</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8547">Update dependency container-registry to v4.23.2-gitlab</a></li>
</ul>
<h3 id="1805">18.0.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197141">[Backport 18.0] Zoekt: Only enable global search when nodes are online</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197766">Run GET Release Environments on 18-0-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197650">Backport of 'Fixed branches loading on group merge request list'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197967">Backport 'dattang/fix-syntax-release-env-pipeline' into '18-0-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197886">[backport to 18.0] Add check for allowlist when configuring Elasticsearch URL</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198180">Backport of <code>Trigger webhook events on vulnerability dismissal</code></a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8546">Update dependency container-registry to v4.21.4-gitlab</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8574">Build Omnibus package for GET Release Environments - 18.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8575">Merge branch 'cb-fix-prein-version-parse' into '18-0-stable'</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.1.2, 18.0.4, 17.11.6https://about.gitlab.com/releases/2025/07/09/patch-release-gitlab-18-1-2-released/2025-07-09T00:00:00+00:002025-07-09T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.1.2, 18.0.4, 17.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. To maintain good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-6948---cross-site-scripting-issue-impacts-gitlab-ceee">Cross-site scripting issue impacts GitLab CE/EE</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cve-2025-3396---improper-authorization-issue-impacts-gitlab-ceee">Incorrect authorization issue impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-4972---improper-authorization-issue-impacts-gitlab-ee">Incorrect authorization issue impacts GitLab EE</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#cve-2025-6168---improper-authorization-issue-impacts-gitlab-ee">Incorrect authorization issue impacts GitLab EE</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-6948---cross-site-scripting-issue-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-6948">CVE-2025-6948</a> - Cross-site scripting issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.</p>
<p><strong>Impacted Versions</strong>: all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. <br />
<strong>CVSS</strong>: 8.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a></p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-3396---improper-authorization-issue-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-3396">CVE-2025-3396</a> - Improper authorization issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests.</p>
<p><strong>Impacted Versions</strong>: all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. <br />
<strong>CVSS</strong>: 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-4972---improper-authorization-issue-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-4972">CVE-2025-4972</a> - Improper authorization issue impacts GitLab EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality.</p>
<p><strong>Impacted Versions</strong>: all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2. <br />
<strong>CVSS</strong>: 2.7(<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/mateuszek">mateuszek</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-6168---improper-authorization-issue-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-6168">CVE-2025-6168</a> - Improper authorization issue impacts GitLab EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.</p>
<p><strong>Impacted Versions</strong>: all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2. <br />
<strong>CVSS</strong>: 2.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/hunter0xp7">hunter0xp7</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="rsync-security-updates">rsync security updates</h3>
<p><code>rsync</code> has been updated to version 3.4.1 which contains fixes for security vulnerabilities including CVE-2024-12084 and CVE-2024-12088.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1812">18.1.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2477">Backport Exporter 15.5.0 to 18.1 stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2474">update gitlab-org/container-registry to v4.23.2-gitlab</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195410">Merge branch '550037-set-static-glab-version-for-release-qa-tests' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195314">Quarantine a flaky test</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195649">Fix code owner validation for roles</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195703">Enable using glab for CI release</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195818">Remove Sidekiq shutdown delay in ConcurrencyLimitSampler</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196086">Refactor blob commit info section (18.1 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195999">Backport 'Upload cached frontend stable packages' to 18-1-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196131">[Backport 18.1] Reintroduce body for redirect responses</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196232">Show both author and committer in last commit (18.1 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196113">Fix creation of PATs using UI on relative installations</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195487">[Backport] Zoekt: Only enable global search when nodes are online</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196241">Fix title on empty projects (18.1 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196358">Rake Doctor Secrets: Fix WebHook error</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196460">Fix comment typos to trigger asset compilation</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196504">Fix E2E test service_ping_default_enabled_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196273">Fix catalog data loader memoization problem in specs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196167">Backport "Disable the edit button, instead of not rendering it" to 18.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195871">Add a redirect status as a success backport to 18.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196586">Make sure to load correct loader on every request</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196472">Merge branch 'dattang/build-omnibus-for-release-environment' into '18-1-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196440">Backport 'dattang/export-release-environment-package-name' into '18-1-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196588">Quarantine a flaky test</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196825">Backport: 'revert-grpc-1.72' into 18-1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196613">Merge branch 'jk/cache-assets-for-stable-branch' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196503">Fix the owner for sequence ci_builds_id_seq</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8519">Backport GitLab Exporter 15.5.0 to 18.1 stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8522">Merge branch 'dattang/upload-package-for-release-environment' into '18-1-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8527">Merge branch 'dattang/build-release-environment-package' into '18-1-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8533">Merge branch 'dattang/fix-release-environment-package-name' into '18-1-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8540">Stable branch builds: Fix versions parsing</a></li>
</ul>
<h3 id="1804">18.0.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2473">update gitlab-org/container-registry to v4.21.4-gitlab</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195409">Use 1.59.2 version of glab in release_with_glab_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195315">Quarantine a flaky test</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195199">Remove checksum length expectation from the Gitlab::Git::Repository#checksum</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195561">Fix Protected Tags show page</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195650">Fix code owner validation for roles</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195819">Remove Sidekiq shutdown delay in ConcurrencyLimitSampler</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196089">Refactor blob commit info section (18.0 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196001">Backport 'Upload cached frontend stable packages' to 18-0-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196132">[Backport 18.0] Reintroduce body for redirect responses</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196234">Show both author and committer in last commit (18.0 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196166">Backport "Add a spinner for a loading elipsis menu" to 18.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196243">Fix title on empty projects (18.0 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195727">No-op ValidateCiBuildNeedsProjectIdNotNull</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196467">Fix comment typos to trigger asset compilation</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196701">[Backport 18.0] Fix incorrect redirect when branch doesn't include files</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196676">Fix creation of PATs using UI on relative installations</a></li>
</ul>
<h3 id="17116">17.11.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2475">update gitlab-org/container-registry to v4.19.2-gitlab</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195408">Use 1.59.2 version of glab in release_with_glab_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195316">Quarantine a flaky test</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195200">Remove checksum length expectation from the Gitlab::Git::Repository#checksum</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195652">Fix code owner validation for roles</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195925">Revert "Merge branch 'backport-fix/547265-code-owner-roles-validation-17-11'…</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196002">Backport 'Upload cached frontend stable packages' to 17-11-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196468">Fix comment typos to trigger asset compilation</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196238">Backport 1465f38a to 17.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195445">Fix incompatible Rails cache version from 7.1 to 6.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196678">Fix creation of PATs using UI on relative installations</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196702">[Backport 17.11] Fix incorrect redirect when branch doesn't include files</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.1.1, 18.0.3, 17.11.5https://about.gitlab.com/releases/2025/06/25/patch-release-gitlab-18-1-1-released/2025-06-25T00:00:00+00:002025-06-25T00:00:00+00:00Rohit Shambhuni<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.1.1, 18.0.3, 17.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. To maintain good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-3279---denial-of-service-impacts-gitlab-ceee">Denial of Service impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-1754---missing-authentication-issue-impacts-gitlab-ceee">Missing Authentication issue impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-5315---improper-access-control-issue-impacts-gitlab-ceee">Improper access control issue impacts GitLab CE/EE</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cve-2025-2938---elevation-of-privilege-impacts-gitlab-ceee">Elevation of Privilege impacts GitLab CE/EE</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#cve-2025-5846---improper-access-control-issue-impacts-gitlab-ee">Improper access control issue impacts GitLab EE</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-3279---denial-of-service-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-3279">CVE-2025-3279</a> - Denial of Service impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. <br />
<strong>CVSS</strong>: 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-1754---missing-authentication-issue-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-1754">CVE-2025-1754</a> - Missing Authentication issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. <br />
<strong>CVSS</strong>: 5.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/abdelrahman_maged">abdelrahman_maged</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-5315---improper-access-control-issue-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-5315">CVE-2025-5315</a> - Improper access control issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1.<br />
<strong>CVSS</strong>: 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/rhidayahh">rhidayahh</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-2938---elevation-of-privilege-impacts-gitlab-ceee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-2938">CVE-2025-2938</a> - Elevation of Privilege impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.</p>
<p><strong>Impacted Versions</strong>: GitLab CE/EE: all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. <br />
<strong>CVSS</strong>: 3.1 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/mateuszek">mateuszek</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-5846---improper-access-control-issue-impacts-gitlab-ee"><a href="https://www.cve.org/CVERecord?id=CVE-2025-5846">CVE-2025-5846</a> - Improper access control issue impacts GitLab EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.</p>
<p><strong>Impacted Versions</strong>: GitLab EE: all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 <br />
<strong>CVSS</strong>: 2.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code></a>)</p>
<p>This vulnerability was reported internally by a GitLab team member, <a href="https://gitlab.com/joernchen">Joern Schneeweisz</a>.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1811">18.1.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2454">(Backport to 18.1) fix: Don't unset IMAGE_TAG_EXT passed by gitlab-org/gitlab</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2450">Backport: Drop ubi-assets-release CI job</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195172">[backport] 18.1: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194913">fix: Backport fix on git over ssh</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194784">Check if Amazon Q should be enabled at project level</a></li>
</ul>
<h3 id="1803">18.0.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194052">[backport] Fix line number in zoekt response</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194127">Restrict LFS file download to project-bound objects</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194237">Backport "E2E test: account for Duo Core behaviour in code suggestion tests"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194238">Backport "E2E test: disable elasticsearch omnibus jobs"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194179">Backport "Fix Self Hosted Duo Beta features not being available" to 18.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194181">Backport 'Move up release-environments stage in CI' to 18-0-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194518">Projects::TransferService should be more reliable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194558">Merge branch 'jmc-549650' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194161">backport 'tbulva-zoekt-flashing-no-results' into 18.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194177">Merge branch 'tbulva-search-page-scope-fix' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194494">Backport attribute_methods.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194391">Backport "Fix losing wiki comments on some wiki page slug changes"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195084">Backport to 18.0: Set glab version for release QA tests</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194193">Backport vulnerability_namespace_historical_statistic fix to 18.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195173">[backport] 18.0: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194866">Support markdown anchors and multi-line in permalink</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194944">fix: Backport fix on git over ssh</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195216">Backport flaky logger test fix</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194989">Revert "Merge branch 'backport-bugfix-restrict-LFS-download–18-0' into '18-0-stable-ee'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195322">Merge branch 'dattang/build-internal-release-qa-image' into '18-0-stable-ee'</a></li>
</ul>
<h3 id="17115">17.11.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2460">Merge branch '350883-update-to-use-live-trace-application-setting' into '17-11-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194141">Restrict LFS file download to project-bound objects</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194186">Backport 'Move up release-environments stage in CI' to 17-11-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194568">Merge branch 'jmc-549650' into '17-11-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194196">Backport 'Update Import::ValidateRemoteGitEndpoint Service'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195085">Backport to 17.11: Set glab version for release QA tests</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194189">Backport vulnerability_namespace_historical_statistic fix to 17.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195174">[backport] 17.11: Merge branch 'dj-exclude-stable-branch-coverage' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195075">fix: Backport fix on git over ssh</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194988">Revert "Merge branch 'backport-bugfix-restrict-LFS-download–17-11' into '17-11-stable-ee'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195323">Merge branch 'dattang/build-internal-release-qa-image' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8481">[Backport - 17.11.x] Removing postponed deprecation from omnibus</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update GitLab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.0.2, 17.11.4, 17.10.8https://about.gitlab.com/releases/2025/06/11/patch-release-gitlab-18-0-2-released/2025-06-11T00:00:00+00:002025-06-11T00:00:00+00:00Costel Maxim<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today, we are releasing versions 18.0.2, 17.11.4, 17.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> page and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of GitLab’s release blog posts <a href="https://about.gitlab.com/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th style="text-align: left">Title</th>
<th style="text-align: left">Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left"><a href="#cve-2025-4278---html-injection-impacts-gitlab-ceee">HTML injection impacts GitLab CE/EE</a></td>
<td style="text-align: left">High</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2025-2254---cross-site-scripting-issue-impacts-gitlab-ceee">Cross-site scripting issue impacts GitLab CE/EE</a></td>
<td style="text-align: left">High</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2025-5121---missing-authorization-issue-impacts-gitlab-ultimate-ee">Missing authorization issue impacts GitLab Ultimate EE</a></td>
<td style="text-align: left">High</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2025-0673---denial-of-service-impacts-gitlab-ceee">Denial of Service impacts GitLab CE/EE</a></td>
<td style="text-align: left">High</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2025-1516---denial-of-service-via-unbounded-webhook-token-names-impacts-gitlab-ceee">Denial of Service via unbounded Webhook token names impacts GitLab CE/EE</a></td>
<td style="text-align: left">Medium</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2025-1478---denial-of-service-via-unbounded-board-names-impacts-gitlab-ceee">Denial of Service via unbounded Board Names impacts GitLab CE/EE</a></td>
<td style="text-align: left">Medium</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2024-9512---information-disclosure-issue-impacts-gitlab-ceee">Information disclosure issue impacts GitLab CE/EE</a></td>
<td style="text-align: left">Medium</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2025-5996---denial-of-service-dos-via-uncontrolled-http-response-processing--impacts-gitlab-ceee">Denial of Service (DoS) via uncontrolled HTTP Response Processing impacts GitLab CE/EE</a></td>
<td style="text-align: left">Medium</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2025-5195---information-disclosure-via-authorization-bypass-impacts-gitlab-ceee">Information disclosure via authorization bypass impacts GitLab CE/EE</a></td>
<td style="text-align: left">Medium</td>
</tr>
<tr>
<td style="text-align: left"><a href="#cve-2025-5982---sensitive-information-disclosure-via-group-ip-restriction-bypass">Sensitive information disclosure via Group IP restriction bypass</a></td>
<td style="text-align: left">Low</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-4278---html-injection-impacts-gitlab-ceee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4278">CVE-2025-4278</a> - HTML injection impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to achieve account takeover by injecting code into the search page.
<strong>Impacted versions</strong> GitLab CE/EE: all versions starting with 18.0 before 18.0.2.
<strong>CVSS:</strong> 8.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-2254---cross-site-scripting-issue-impacts-gitlab-ceee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2254">CVE-2025-2254</a> - Cross-site scripting issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to act in the context of a legitimate user by injecting a malicious script into the snippet viewer.<br />
<strong>Impacted versions</strong> GitLab CE/EE: all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2<br />
<strong>CVSS</strong> 8.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-5121---missing-authorization-issue-impacts-gitlab-ultimate-ee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5121">CVE-2025-5121</a> - Missing authorization issue impacts GitLab Ultimate EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker with authenticated access to a GitLab instance with a GitLab Ultimate license applied (paid customer or trial) to inject a malicious CI/CD job into all future CI/CD pipelines of any project.<br />
<strong>Impacted versions</strong> GitLab Ultimate EE from 17.11 before 17.11.4 and 18.0 before 18.0.2.
<strong>CVSS</strong> 8.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/jean_d-ou">jean_d-ou</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-0673---denial-of-service-impacts-gitlab-ceee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0673">CVE-2025-0673</a> - Denial of Service impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by triggering an infinite redirect loop causing memory exhaustion on the server.</p>
<p><strong>Impacted versions</strong> GitLab CE/EE: all versions from 17.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2<br />
<strong>CVSS</strong> 7.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/sim4n6">sim4n6</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-1516---denial-of-service-via-unbounded-webhook-token-names-impacts-gitlab-ceee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1516">CVE-2025-1516</a> - Denial of Service via unbounded Webhook token names impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by generating tokens with sufficiently large names.
<strong>Impacted versions</strong> GitLab CE/EE: all versions from 8.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2<br />
<strong>CVSS</strong> 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-1478---denial-of-service-via-unbounded-board-names-impacts-gitlab-ceee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1478">CVE-2025-1478</a> - Denial of Service via unbounded Board Names impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by crafting Board Names with sufficiently large sizes.<br />
<strong>Impacted versions</strong> GitLab CE/EE: all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1<br />
<strong>CVSS</strong> 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2024-9512---information-disclosure-issue-impacts-gitlab-ceee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9512">CVE-2024-9512</a> - Information disclosure issue impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to clone a legitimate user’s private repository by sending a timed clone request when a secondary node is out of sync.</p>
<p><strong>Impacted versions</strong> GitLab CE/EE: all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2<br />
<strong>CVSS</strong> 5.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>)</p>
<p>Thanks <a href="https://hackerone.com/hdtran">hdtran</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-5996---denial-of-service-dos-via-uncontrolled-http-response-processing--impacts-gitlab-ceee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5996">CVE-2025-5996</a> - Denial of Service (DoS) via uncontrolled HTTP Response Processing impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by integrating a malicious third-party component into a GitLab project.<br />
<strong>Impacted versions</strong> GitLab CE/EE: versions from 2.1.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2<br />
<strong>CVSS</strong> 6.5 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>)</a></p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> and <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cve-2025-5195---information-disclosure-via-authorization-bypass-impacts-gitlab-ceee"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5195">CVE-2025-5195</a> - Information disclosure via authorization bypass impacts GitLab CE/EE</h3>
<p>GitLab has remediated an issue that could have allowed authenticated users to gain access to data beyond their privilege boundaries by accessing arbitrary compliance frameworks.
<strong>Impacted versions</strong> GitLab CE/EE: all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1<br />
<strong>CVSS</strong> 4.3 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>This vulnerability has been discovered internally by a member of the GitLab team.</p>
<h3 id="cve-2025-5982---sensitive-information-disclosure-via-group-ip-restriction-bypass"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5982">CVE-2025-5982</a> - Sensitive information disclosure via Group IP restriction bypass</h3>
<p>GitLab has remediated an issue that could have allowed a successful attacker to bypass IP access restrictions and view sensitive group information.
<strong>Impacted versions</strong> GitLab EE: versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2.<br />
<strong>CVSS</strong> 3.7 (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>)</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/joernchen">@joernchen</a>.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1802">18.0.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191955">Move fork_networks organization_id NOT NULL to post-migrate</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191961">[Backport] Zoekt: Only enable search when nodes are online</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192132">18-0-stable-ee: Trim pages deployment file name to 60 characters</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192013">Fix gitpod button is missing in the edit dropdown</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192019">[Backport] Elastic::MigrationWorker should not create migrations index</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192418">Backport operational data_category for duo_core_features_enabled metric on service ping</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192820">[Backport] Fix IDE links returns about:blank in old code dropdow</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192406">Fix the title/body issue for todo apis when it is a duo todo</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191537">Add 18.0 "What's New" entries</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193180">[Backport] mark_all_as_completed! method should drop halted cache & save halted: false</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192175">Fix "No such column: geo_nodes.verification_max_capacity"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193477">[backport] 18.0: Merge branch 'dj-stable-branch-dont-fail-e2e' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193625">[backport] 18.0: Merge branch 'dj-refactor-semgrep-ci' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193514">[backport] 18.0: Remove e2e:test-on-omnibus-ee from tier 1 backport MRs</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8440">Fix libarchive checksum script (Backport 18.0)</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8435">Warn on changes to tag only CI job definitions</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8454">Backport postponing deprecation to 19.0</a></li>
</ul>
<h3 id="17114">17.11.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191558">[backport] 17.11: Remove jest vue3 check quarantine jobs from backport MR pipelines</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192133">17-11-stable-ee: Trim pages deployment file name to 60 characters</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193285">Fix gitpod button is missing in the edit dropdown</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193317">[backport] 17.11: Merge branch 'dj-stable-branch-dont-fail-e2e' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193232">Merge '535187-fix-console-errors' into '17-11-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192963">Attempt to migrate ci_runner_taggings table (try 2)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192932">[backport] 17.11: Remove e2e:test-on-omnibus-ee from tier 1 backport MRs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193626">[backport] 17.11: Merge branch 'dj-refactor-semgrep-ci' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8441">Fix libarchive checksum script (Backport 17.11)</a></li>
</ul>
<h3 id="17108">17.10.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191560">[backport] 17.10: Remove jest vue3 check quarantine jobs from backport MR pipelines</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193304">Fix gitpod button is missing in the edit dropdown</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193318">[backport] 17.10: Merge branch 'dj-stable-branch-dont-fail-e2e' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192962">Attempt to migrate ci_runner_taggings table (try 2)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193627">[backport] 17.10: Merge branch 'dj-refactor-semgrep-ci' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192933">[backport] 17.10: Remove e2e:test-on-omnibus-ee from tier 1 backport MRs</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8442">Fix libarchive checksum script (Backport 17.10)</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>. To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page. To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 18.0.1, 17.11.3, 17.10.7https://about.gitlab.com/releases/2025/05/21/patch-release-gitlab-18-0-1-released/2025-05-21T00:00:00+00:002025-05-21T00:00:00+00:00Rohit Shambhuni<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 18.0.1, 17.11.3, 17.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#unprotected-large-blob-endpoint-in-gitlab-allows-denial-of-service">Unprotected large blob endpoint in GitLab allows Denial of Service</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#improper-xpath-validation-allows-modified-saml-response-to-bypass-2fa-requirement">Improper XPath validation allows modified SAML response to bypass 2FA requirement</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#a-discord-webhook-integration-may-cause-dos">A Discord webhook integration may cause DoS</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#unbounded-kubernetes-cluster-tokens-may-lead-to-dos">Unbounded Kubernetes cluster tokens may lead to DoS</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#unvalidated-notes-position-may-lead-to-denial-of-service">Unvalidated notes position may lead to Denial of Service</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#hiddenmasked-variables-may-get-exposed-in-the-ui">Hidden/masked variables may get exposed in the UI</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#two-factor-authentication-requirement-bypass">Two-factor authentication requirement bypass</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#view-full-email-addresses-that-should-be-partially-obscured">View full email addresses that should be partially obscured</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#branch-name-confusion-in-confidential-mrs">Branch name confusion in confidential MRs</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#unauthorized-access-to-job-data-via-a-graphql-query">Unauthorized access to job data via a GraphQL query</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="unprotected-large-blob-endpoint-in-gitlab-allows-denial-of-service">Unprotected large blob endpoint in GitLab allows Denial of Service</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>, 7.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0993">CVE-2025-0993</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="improper-xpath-validation-allows-modified-saml-response-to-bypass-2fa-requirement">Improper XPath validation allows modified SAML response to bypass 2FA requirement</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allowed modified SAML responses to bypass 2FA requirement under specialized conditions.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</code></a>, 6.8).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12093">CVE-2024-12093</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="a-discord-webhook-integration-may-cause-dos">A Discord webhook integration may cause DoS</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A Discord webhook integration may cause DoS.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7803">CVE-2024-7803</a>.</p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unbounded-kubernetes-cluster-tokens-may-lead-to-dos">Unbounded Kubernetes cluster tokens may lead to DoS</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3111">CVE-2025-3111</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unvalidated-notes-position-may-lead-to-denial-of-service">Unvalidated notes position may lead to Denial of Service</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2853">CVE-2025-2853</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="hiddenmasked-variables-may-get-exposed-in-the-ui">Hidden/masked variables may get exposed in the UI</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code></a>, 4.9).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4979">CVE-2025-4979</a>.</p>
<p>Thanks <a href="https://hackerone.com/mateuszek">mateuszek</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="two-factor-authentication-requirement-bypass">Two-factor authentication requirement bypass</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N</code></a>, 4.6).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0605">CVE-2025-0605</a>.</p>
<p>Thanks <a href="https://hackerone.com/salh4ckr">salh4ckr</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="view-full-email-addresses-that-should-be-partially-obscured">View full email addresses that should be partially obscured</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0679">CVE-2025-0679</a>.</p>
<p>Thanks <a href="https://hackerone.com/mateuszek">mateuszek</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="branch-name-confusion-in-confidential-mrs">Branch name confusion in confidential MRs</h3>
<p>A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code></a>, 3.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9163">CVE-2024-9163</a>.</p>
<p>Thanks <a href="https://hackerone.com/foxribeye">foxribeye</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unauthorized-access-to-job-data-via-a-graphql-query">Unauthorized access to job data via a GraphQL query</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code></a>, 2.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1110">CVE-2025-1110</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="mattermost-security-updates-april-29-2025">Mattermost Security Updates April 29, 2025</h3>
<p>Mattermost has been updated to apply the latest patches for low and medium level security issues.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1801">18.0.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2388">Fix CI_COMMIT_REF tags of FIPS build images</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191256">Bump gitlab-shell to v14.42.0 - 18.0 backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191699">[Backport] Do not run index integrity worker for zoekt search</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191890">Update gitlab-qa to 15.5.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191824">Add outbound allowlist to allowed endpoints for SSRF filter</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191907">Apply Rails 7-1-stable patches to fix type map init issues</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8423">KAS: remove unsupported GitOps config (18.0 backport)</a></li>
</ul>
<h3 id="17113">17.11.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190731">Backport 17.11: Generate separate project and group work items fixtures</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190703">[BACKPORT] Fix flaky specs in Import::GitHubService</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190354">[backport] Fixed command palette edge case</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190802">Delete BBM backfill_project_id_for_projects_with_pipeline_variables backport to 17.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190828">Add backport to fix shortSHA uniqueness</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191038">[backport] 17.11: Enable FF_TIMESTAMPS for stable branch pipelines</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191191">[backport] Add a ping? check before hitting Elasticsearch in admin</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191092">[Backport]Autocomplete: Change user authorization to use terms query for projects</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191257">Bump gitlab-shell to v14.42.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191293">Respect product usage data setting from charts</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191177">Merge branch 'tbulva-zoekt-global-search-bug' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191334">Add outbound allowlist to allowed endpoints for SSRF filter</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191711">Drop ci_runner_machines_archived table</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191686">17.11: Use no_longer_detected_ids when auto-resolving vulnerabilities</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/1156">Update outdated test certificates [17.11]</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8395">Revert "Merge branch 'renovate/pgbouncer-pgbouncer-1.x' into 'master'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8400">Ensure correct version of Nginx modules gets included in the package</a></li>
</ul>
<h3 id="17107">17.10.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190733">Backport 17.10: Generate separate project and group work items fixtures</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190705">[BACKPORT] Fix flaky specs in Import::GitHubService</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191039">[backport] 17.10: Enable FF_TIMESTAMPS for stable branch pipelines</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191258">Bump gitlab-shell to v14.42.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191843">Drop ci_runner_machines_archived table</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/1155">Update outdated test certificates [17.10]</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8401">Ensure correct version of Nginx modules gets included in the package</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.11.2, 17.10.6, 17.9.8https://about.gitlab.com/releases/2025/05/07/patch-release-gitlab-17-11-2-released/2025-05-07T00:00:00+00:002025-05-07T00:00:00+00:00Daniel Hauenstein<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.11.2, 17.10.6, 17.9.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#partial-bypass-for-device-oauth-flow-using-cross-window-forgery">Partial Bypass for Device OAuth flow using Cross Window Forgery</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-by-abusing-github-import-api">Denial of service by abusing Github import API</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#group-ip-restriction-bypass-allows-disclosing-issue-title-of-restricted-project">Group IP restriction bypass allows disclosing issue title of restricted project</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="partial-bypass-for-device-oauth-flow-using-cross-window-forgery">Partial Bypass for Device OAuth flow using Cross Window Forgery</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. Under certain conditions Device OAuth flow protections could be bypassed, enabling authorization form submission through minimal user interaction.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.8).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0549">CVE-2025-0549</a>.</p>
<p>Thanks <a href="https://hackerone.com/sim4n6">sim4n6</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-by-abusing-github-import-api">Denial of service by abusing Github import API</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. It was possible to cause a DoS condition via GitHub import requests using a malicious crafted payload.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8973">CVE-2024-8973</a>.</p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="group-ip-restriction-bypass-allows-disclosing-issue-title-of-restricted-project">Group IP restriction bypass allows disclosing issue title of restricted project</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. Under certain conditions users could bypass IP access restrictions of a group, enabling them to disclose sensitive information.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1278">CVE-2025-1278</a>.</p>
<p>Thanks <a href="https://hackerone.com/iamgk808">iamgk808</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="17112">17.11.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188874">Merge branch 'renovate-e2e/gitlab-qa-15.x' into '17-11-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188885">[backport] Fix subgroup search redirect if SAML auth expired</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188846">Fix MR diffs endpoint to respond with pagination headers</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188922">Fix token prefix change when PAT prefix is nil</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188895">[backport] Respect fork filter for global zoekt search</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189318">[17.11] Bump graphql gem to 2.4.13</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189452">[Backport] Allow SSO enforcer to skip root owner check</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189039">[17.11] Only check records with encrypted data in gitlab:doctor:encryption_keys</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189624">Change to async_delete for ci_running_builds.runner_id</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189806">Merge branch 'pb-fix-matrix-use-case' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190008">Update gitlab-development-kit digest to 59037d8</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189983">Backport (17.11): Bump Devfile gem to 0.4.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190095">Backport (17.11): Ensure all LFK's are processed regardless of duration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190294">[17.11 Backport] Change the travel date for analytics/dashboards_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8365">config/git: Fix misdetected shell path (17.11 backport)</a></li>
</ul>
<h3 id="17106">17.10.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189317">[17.10] Bump graphql gem to 2.4.13</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189041">[17.10] Only check records with encrypted data in gitlab:doctor:encryption_keys</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189622">Change to async_delete for ci_running_builds.runner_id</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190009">Update gitlab-development-kit digest to 59037d8</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189980">Backport (17.10): Bump Devfile gem to 0.4.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8342">Cherry pick '8995-json-parse-utf8' into '17-10-stable'</a></li>
</ul>
<h3 id="1798">17.9.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189313">[17.9] Bump graphql gem to 2.4.13</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189042">[17.9] Only check records with encrypted data in gitlab:doctor:encryption_keys</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190010">Update gitlab-development-kit digest to 59037d8</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/190116">Backport (17.9): Bump devfile gem to v0.4.3</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.11.1, 17.10.5, 17.9.7https://about.gitlab.com/releases/2025/04/23/patch-release-gitlab-17-11-1-released/2025-04-23T00:00:00+00:002025-04-23T00:00:00+00:00Félix Veillette-Potvin<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.11.1, 17.10.5, 17.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cross-site-scripting-xss-in-maven-dependency-proxy-through-csp-directives">Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cross-site-scripting-xss-in-maven-dependency-proxy-through-cache-headers">Cross Site Scripting (XSS) in Maven dependency proxy through cache headers</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#network-error-logging-nel-header-injection-in-maven-dependency-proxy-allows-browser-activity-monitoring">Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Browser Activity Monitoring</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#denial-of-service-dos-via-issue-preview">Denial of service (DOS) via issue preview.</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#unauthorized-access-to-branch-names-when-repository-assets-are-disabled-in-the-project">Unauthorized access to branch names when Repository assets are disabled in the project</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="cross-site-scripting-xss-in-maven-dependency-proxy-through-csp-directives">Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives</h3>
<p>An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1763">CVE-2025-1763</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cross-site-scripting-xss-in-maven-dependency-proxy-through-cache-headers">Cross Site Scripting (XSS) in Maven dependency proxy through cache headers</h3>
<p>An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2443">CVE-2025-2443</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="network-error-logging-nel-header-injection-in-maven-dependency-proxy-allows-browser-activity-monitoring">Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Browser Activity Monitoring</h3>
<p>An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account take-over, affecting all versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 7.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1908">CVE-2025-1908</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-dos-via-issue-preview">Denial of service (DOS) via issue preview.</h3>
<p>An issue has been discovered affecting service availability via issue preview in GitLab CE/EE affecting all versions from 16.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0639">CVE-2025-0639</a>.</p>
<p>Thanks <a href="https://hackerone.com/sigitsetiawansss">sigitsetiawansss</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unauthorized-access-to-branch-names-when-repository-assets-are-disabled-in-the-project">Unauthorized access to branch names when Repository assets are disabled in the project</h3>
<p>An issue has been discovered in access controls could allow users to view certain restricted project information even when related features are disabled in GitLab EE, affecting all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12244">CVE-2024-12244</a>.</p>
<p>Thanks <a href="https://hackerone.com/mateuszek">mateuszek</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="17111">17.11.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188122">Put allow_composite_identities_to_run_pipelines behind ff</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188630">Backporting doc fix for Amazon Q</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188405">[BP]last_rollout_failed_at should be set for failures namespaces also</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188604">Fix Amazon Q disconnect for already destroyed app</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188127">Fix string conversion for CI Inputs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188074">Backport fix for latest DS template in combination with Static Reachability</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188721">Merge branch '535633-new-look-causes-attach-file-to-ignore-external_url' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188234">Patch in 17.11: Sync Cloud Connector tokens hourly</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188131">Update Workhorse Gitaly client dependency</a></li>
</ul>
<h3 id="17105">17.10.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2318">Backport 'fix-ubi-mailroom-location' into '17-10-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7765">backport update-go-grpc-to-1.71.1 to 17-10-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187346">[Backport 17.10] Bulk indexing cron workers should respect pause setting</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187347">[17.10] Backport: Zoekt: Fix incorrect project filtering in Zoekt initial indexing</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187380">Backport: Zoekt: Rollout is considering offline nodes as well</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187382">Backport: Zoekt Newly created indices are instantly evicted</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187376">Backport NoMethodError: zoekt_nodes is null in some instances</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187679">Fix workspaces reconciliation to send inventory config map correctly</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187370">[17.10 Backport] Clean up the FinalizeBackfillCiRunnerMachinesPartitionedTable migration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187562">Introduce a new gitlab:doctor:encryption_keys task</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187902">Backport "Resolve "/api/v4/todos returns 500 when has wiki todo""</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187420">Update workhorse gitalyclient dependency update backport to 17.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187890">[17.10 Backport] Clear session cookie when browser is closed</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187865">Backport AI events backfill from PG to ClickHouse</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/188236">Patch in 17.10: Sync Cloud Connector tokens hourly</a></li>
</ul>
<h3 id="1797">17.9.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2322">Backport setting FIPS and UBI pipeline name to 17-9-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2319">Backport 'fix-ubi-mailroom-location' into '17-9-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7772">backport update-go-grpc-to-1.71.1 to 17-9-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187368">[17.9 Backport] Clean up the FinalizeBackfillCiRunnerMachinesPartitionedTable migration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187566">Introduce a new gitlab:doctor:encryption_keys task</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187765">Update workhorse gitalyclient dependency backport to 17.9</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.10.4, 17.9.6, 17.8.7https://about.gitlab.com/releases/2025/04/09/patch-release-gitlab-17-10-4-released/2025-04-09T00:00:00+00:002025-04-09T00:00:00+00:00Costel Maxim<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.10.4, 17.9.6, 17.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#denial-of-service-via-ci-pipelines">Denial of service via CI pipelines</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#unintentionally-authorizing-sensitive-actions-on-users-behalf">Unintentionally authorizing sensitive actions on users behalf</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#ip-restriction-bypass-through-graphql-subscription">IP Restriction Bypass through GraphQL Subscription</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#Unauthorized-users-can-list-the-number-of-confidential-issues">Unauthorized users can list the number of confidential issues</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#debugging-information-disclosed">Debugging Information Disclosed</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="denial-of-service-via-ci-pipelines">Denial of service via CI pipelines</h3>
<p>A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4. A denial of service could occur upon injecting oversized payloads into CI pipeline exports.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1677">CVE-2025-1677</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unintentionally-authorizing-sensitive-actions-on-users-behalf">Unintentionally authorizing sensitive actions on users behalf</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0362">CVE-2025-0362</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ip-restriction-bypass-through-graphql-subscription">IP Restriction Bypass through GraphQL Subscription</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2408">CVE-2025-2408</a>.</p>
<p>Thanks <a href="https://hackerone.com/rogerace">rogerace</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unauthorized-users-can-list-the-number-of-confidential-issues">Unauthorized users can list the number of confidential issues</h3>
<p>An issue has been discovered in GitLab EE affecting all versions from 17.1 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4, This allows attackers to perform targeted searches with sensitive keywords to get the count of issues containing the searched term.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11129">CVE-2024-11129</a></p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h3 id="debugging-information-disclosed">Debugging Information Disclosed</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 3.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2469">CVE-2025-2469</a>.</p>
<p>Thanks <a href="https://hackerone.com/ap-wtioit">ap-wtioit</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="17104">17.10.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/186586">Cherry-picks multiple fixes into 17.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/186124">Fix invalid pipelines for scan execution policies</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/186658">Move group.cluster_agents field to CE</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/185812">Fixes merge requests updating URL with reports project</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/186987">Update approval rules name validation to include approval policy</a></li>
<li><a href="https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4912">Workhorse golang-jwt/jwt upgrade to 5.2.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4893">Golang Oauth2 upgrade to 0.27.0</a></li>
</ul>
<h3 id="1796">17.9.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4913">Workhorse golang-jwt/jwt upgrade to 5.2.2</a></li>
</ul>
<h3 id="1787">17.8.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2305">CI: Use gcr mirror in DinD (17.8 Backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/185302">No-op ci_runner_machines_687967fa8a batched migrations - 17.8 backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/186588">Cherry-picks bug fixes into 17.8</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8267">Backport fix in libarchive for CI</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8263">CI: Use gcr mirror for DinD (17.8 Backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8278">[17.8 Backport] Check packages does not have .dind job in scope</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8283">CI: Optionally enable dependency proxy (Backport 17.8)</a></li>
<li><a href="https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4914">Workhorse golang-jwt/jwt upgrade to 5.2.2</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.10.1, 17.9.3, 17.8.6https://about.gitlab.com/releases/2025/03/26/patch-release-gitlab-17-10-1-released/2025-03-26T00:00:00+00:002025-03-26T00:00:00+00:00Félix Veillette-Potvin<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.10.1, 17.9.3, 17.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cross-site-scripting-xss-through-merge-request-error-messages">Cross-site Scripting (XSS) through merge-request error messages</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cross-site-scripting-xss-through-improper-rendering-of-certain-file-types">Cross-site Scripting (XSS) through improper rendering of certain file types</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#admin-privileges-persists-after-role-is-revoked">Admin Privileges Persists After Role is Revoked</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#external-user-can-access-internal-projects">External user can access internal projects</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#prompt-injection-in-amazon-q-integration-may-allow-unauthorized-actions">Prompt injection in Amazon Q integration may allow unauthorized actions</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#uncontrolled-resource-consumption-via-a-maliciously-crafted-terraform-file-in-merge-request">Uncontrolled Resource Consumption via a maliciously crafted terraform file in merge request</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-inject-shell-code-in-harbor-project-name-configuration-when-using-helper-scripts">Maintainer can inject shell code in Harbor project name configuration when using helper scripts</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="cross-site-scripting-xss-through-merge-request-error-messages">Cross-site Scripting (XSS) through merge-request error messages</h3>
<p>An issue has been discovered in Gitlab EE/CE affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS).
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2255">CVE-2025-2255</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cross-site-scripting-xss-through-improper-rendering-of-certain-file-types">Cross-site Scripting (XSS) through improper rendering of certain file types</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0811">CVE-2025-0811</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="admin-privileges-persists-after-role-is-revoked">Admin Privileges Persists After Role is Revoked</h3>
<p>An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/#vector=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</code></a>, 7.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2242">CVE-2025-2242</a>.</p>
<h3 id="external-user-can-access-internal-projects">External user can access internal projects</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N</code></a>, 5.2).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12619">CVE-2024-12619</a>.</p>
<p>Thanks <a href="https://hackerone.com/aituglo">aituglo</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="prompt-injection-in-amazon-q-integration-may-allow-unauthorized-actions">Prompt injection in Amazon Q integration may allow unauthorized actions</h3>
<p>An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to potentially expose sensitive project data to unauthorized users.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code></a>, 4.4).
We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability has been discovered internally by GitLab team member Félix Veillette-Potvin.</p>
<h3 id="uncontrolled-resource-consumption-via-a-maliciously-crafted-terraform-file-in-merge-request">Uncontrolled Resource Consumption via a maliciously crafted terraform file in merge request</h3>
<p>An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10307">CVE-2024-10307</a>.</p>
<p>Thanks <a href="https://hackerone.com/l33thaxor">l33thaxor</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="maintainer-can-inject-shell-code-in-harbor-project-name-configuration-when-using-helper-scripts">Maintainer can inject shell code in Harbor project name configuration when using helper scripts</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 14.9 before 17.8.6, all versions starting from 17.9 before 17.8.3, all versions starting from 17.10 before 17.10.1. An input validation issue in the Harbor registry integration could have allowed a maintainer to add malicious code to the CLI commands shown in the UI.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N</code></a>, 3.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9773">CVE-2024-9773</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="17101">17.10.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2275">Merge branch 'fixup-non-based-ubi' into '17-10-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/185392">Changes for storing value of bypass_two_factor to session</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8252">Correct incorrect PG version in CHANGELOG</a></li>
</ul>
<h3 id="1793">17.9.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2264">Bump go to v1.23.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2276">Merge branch 'fixup-non-based-ubi' into '17-9-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7692">17.9 Backport: jliu/gitaly-dns-tls</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7708">17.9 backport: Update build-proto-gem</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184083">[Backport 17.9] Fix frozen array error with custom analyzers</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184190">Update dependency gitlab-mail_room to v0.0.27</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184158">[backport] Fixed regex and syntax options button under some conditions</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183491">[17.9] Backport: Zoekt: Index pending delete projects</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184162">[Backport 17.9] Update truncato gem</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184345">Reorder runners backfill migrations - 17.9 backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/185157">[Backport 17.9] Replace #test-platform in favour of #s_developer_experience</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184639">Update Gitaly client dependency to include DNS lookup change (backport to 17.9)</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8232">Backport 'ci-internal-release-docker-branch-dev' into '17-9-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8243">Backport 17.9: Update container-registry to v4.15.2-gitlab</a></li>
</ul>
<h3 id="1786">17.8.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2278">UBI/FIPS: Fixup container_version when not using gitlab-base</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7693">17.8 Backport: jliu/gitaly-dns-tls</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184916">Fix a spec typo in merge_requests_controller_spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184643">Update Gitaly client dependency to include DNS lookup change (backport 17.8)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/185156">[Backport 17.8] Replace #test-platform in favour of #s_developer_experience</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184302">Fix SPP worker bug in 17.8</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/184347">Reorder runners backfill migrations - 17.8 backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8233">Backport 'ci-internal-release-docker-branch-dev' into '17-8-stable'</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/2025-03-12T00:00:00+00:002025-03-12T00:00:00+00:00Kevin Morrison<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.9.2, 17.8.5, 17.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action and will be notified once their instance has been patched.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cve-2025-25291-and-cve-2025-25292-third-party-gem-ruby-saml">CVE-2025-25291 and CVE-2025-25292 (third party gem <code>ruby-saml</code>)</a></td>
<td>Critical</td>
</tr>
<tr>
<td><a href="#cve-2025-27407-third-party-gem-graphql">CVE-2025-27407 (third party gem <code>graphql</code>)</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#denial-of-service-due-to-inefficient-processing-of-untrusted-input">Denial of Service Due to Inefficient Processing of Untrusted Input</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#credentials-disclosed-when-repository-mirroring-fails">Credentials disclosed when repository mirroring fails</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-vulnerability-in-gitlab-approval-rules-due-to-unbounded-field">Denial of Service Vulnerability in GitLab Approval Rules due to Unbounded Field</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#internal-notes-in-merge-requests-are-emailed-to-non-members-upon-review-submission">Internal Notes in Merge Requests Are Emailed to Non-Members Upon Review Submission</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-inject-shell-code-in-google-integrations">Maintainer can inject shell code in Google integrations</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#guest-with-custom-admin-group-member-permissions-can-approve-the-users-invitation-despite-user-caps">Guest with custom <code>Admin group member</code> permissions can approve the users invitation despite user caps</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="cve-2025-25291-and-cve-2025-25292-third-party-gem-ruby-saml">CVE-2025-25291 and CVE-2025-25292 (third party gem <code>ruby-saml</code>)</h3>
<p>GitLab has remediated two privately disclosed security issues (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25291">CVE-2025-25291</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25292">CVE-2025-25292</a>) identified in the <code>ruby-saml</code> library which GitLab uses when SAML SSO authentication is enabled at the instance or group level. These issues have been remediated on GitLab.com, and in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2.</p>
<p>On GitLab CE/EE instances using SAML authentication, under certain circumstances, an attacker with access to a valid signed SAML document from the IdP could authenticate as another valid user within the environment's SAML IdP.</p>
<h4 id="self-managed-gitlab-known-mitigations">Self Managed GitLab: Known Mitigations</h4>
<p>Affected customers who cannot immediately update GitLab CE/EE to address these issues may choose to perform the following mitigation steps:</p>
<p><em>Note: This vulnerability requires the attacker to have compromised a valid user account to perform the authentication bypass.</em></p>
<ol>
<li>Enable GitLab <a href="https://docs.gitlab.com/user/profile/account/two_factor_authentication/">two-factor authentication</a> for <a href="https://docs.gitlab.com/security/two_factor_authentication/#enforce-2fa-for-all-users">all user accounts</a> on the GitLab self-managed instance (NOTE: Enabling identity provider multi-factor authentication does not mitigate this vulnerability) <strong>and</strong></li>
<li>Do not allow the <a href="https://docs.gitlab.com/integration/saml/#bypass-two-factor-authentication">SAML two-factor bypass</a> option in GitLab <strong>and</strong></li>
<li><a href="https://docs.gitlab.com/integration/omniauth/#configure-common-settings">Require admin approval for automatically created new users</a> (<code>gitlab_rails['omniauth_block_auto_created_users'] = true</code>)</li>
</ol>
<h4 id="gitlab-thanks">GitLab Thanks:</h4>
<ul>
<li><a href="https://hackerone.com/ahacker1">ahacker1</a> for reporting <code>CVE-2025-25291</code> through our HackerOne bug bounty program</li>
<li><a href="https://github.com/p-">Peter Stöckli</a> (GitHub) for identifying <code>CVE-2025-25292</code> and contacting GitLab to coordinate disclosure and remediation across vendors</li>
<li>Sixto Martin Garcia (maintainer of the <code>ruby-saml</code> RubyGem) for their collaboration on remediation and coordinating disclosure</li>
</ul>
<h3 id="cve-2025-27407-third-party-gem-graphql">CVE-2025-27407 (third party gem <code>graphql</code>)</h3>
<p>GitLab has remediated a privately disclosed security issue (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27407">CVE-2025-27407</a>) identified in the Ruby <code>graphql</code> library, which affects and has been remediated in GitLab.com, and in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2.</p>
<p>Under certain circumstances, if an attacker-controlled authenticated user account attempted to transfer a maliciously-crafted project via the Direct Transfer feature (note: Direct transfer is in beta stage and is disabled by default for all self-managed Gitlab instances), remote code execution is possible. Disabling Direct Transfer removes risk of exploitation from this issue.</p>
<h4 id="self-managed-gitlab-known-mitigations-1">Self-managed GitLab: Known Mitigations</h4>
<p>Affected customers who cannot immediately update their GitLab CE/EE to address these issues may choose to perform the following mitigation steps:</p>
<ul>
<li>Disable <a href="http://docs.gitlab.com/administration/settings/import_and_export_settings/#enable-migration-of-groups-and-projects-by-direct-transfer">migration of groups and projects by direct transfer</a>, if enabled (disabled by default)</li>
</ul>
<h4 id="gitlab-thanks-1">GitLab Thanks:</h4>
<ul>
<li><a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program</li>
<li><a href="https://github.com/rmosolgo">Robert Mosolgo</a> (ruby-graphql) for their collaboration on cross-vendor disclosure and remediation</li>
</ul>
<h3 id="denial-of-service-due-to-inefficient-processing-of-untrusted-input">Denial of Service Due to Inefficient Processing of Untrusted Input</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 5.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13054">CVE-2024-13054</a>.</p>
<p>Thanks <a href="https://hackerone.com/sim4n6">sim4n6</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="credentials-disclosed-when-repository-mirroring-fails">Credentials disclosed when repository mirroring fails</h3>
<p>An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive authentication information.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N</code></a>, 4.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12380">CVE-2024-12380</a>.</p>
<p>Thanks <a href="https://hackerone.com/sigitsetiawansss">sigitsetiawansss</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-vulnerability-in-gitlab-approval-rules-due-to-unbounded-field">Denial of Service Vulnerability in GitLab Approval Rules due to Unbounded Field</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. A vulnerability in certain GitLab instances could allow an attacker to cause a denial of service condition by manipulating specific API inputs. This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1257">CVE-2025-1257</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="internal-notes-in-merge-requests-are-emailed-to-non-members-upon-review-submission">Internal Notes in Merge Requests Are Emailed to Non-Members Upon Review Submission</h3>
<p>An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only. This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0652">CVE-2025-0652</a>.</p>
<p>Thanks <a href="https://hackerone.com/foxribeye">foxribeye</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="maintainer-can-inject-shell-code-in-google-integrations">Maintainer can inject shell code in Google integrations</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 17.2 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. An input validation issue in the Google Cloud IAM integration feature could have enabled a Maintainer to introduce malicious code.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N</code></a>, 3.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8402">CVE-2024-8402</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="guest-with-custom-admin-group-member-permissions-can-approve-the-users-invitation-despite-user-caps">Guest with custom <code>Admin group member</code> permissions can approve the users invitation despite user caps</h3>
<p>An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code></a>, 2.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7296">CVE-2024-7296</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="bump-postgresql-versions-to-1417-and-168">Bump PostgreSQL versions to 14.17 and 16.8</h3>
<p>The PostgreSQL project released an update so we are updating to versions 14.17 and 16.8.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1792">17.9.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2239">PG: Upgrade client libraries and programs to 16.8</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182632">Use correct project when fetching managed resources templates</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182677">E2E test fix: web ide spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182666">Prevent deletion of project_bot users with non-expiring access tokens</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183361">Backport: Fix missing repo logic</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183373">Backport: Search times out with certain special characters</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182319">Backport: Fix to support custom pipcompile requirement file with the new DS analyzer</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183982">Update gitlab-development-kit digest to 1305f9b</a></li>
</ul>
<h3 id="1785">17.8.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182441">Fixes typo on profiles controller spec</a></li>
</ul>
<h3 id="1777">17.7.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182443">Fixes typo on issues controller spec</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.9.1, 17.8.4, 17.7.6https://about.gitlab.com/releases/2025/02/26/patch-release-gitlab-17-9-1-released/2025-02-26T00:00:00+00:002025-02-26T00:00:00+00:00Costel Maxim<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.9.1, 17.8.4, 17.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#xss-in-k8s-proxy-endpoint">XSS in k8s proxy endpoint</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#xss-in-maven-dependency-proxy">XSS Maven Dependency Proxy</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#html-injection-leads-to-xss-on-self-hosted-instances">HTML injection leads to XSS on self hosted instances</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#improper-authorisation-check-allows-guest-user-to-read-security-policy">Improper Authorisation Check Allows Guest User to Read Security Policy</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#planner-role-can-read-code-review-analytics-in-private-projects">Planner role can read code review analytics in Private Projects</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="xss-in-k8s-proxy-endpoint">XSS in k8s proxy endpoint</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0475">CVE-2025-0475</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="xss-maven-dependency-proxy">XSS Maven Dependency Proxy</h3>
<p>A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a user's browser under specific conditions.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 7.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0555">CVE-2025-0555</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="html-injection-leads-to-xss-on-self-hosted-instances">HTML injection leads to XSS on self hosted instances</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code></a>, 5.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8186">CVE-2024-8186</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="improper-authorisation-check-allows-guest-user-to-read-security-policy">Improper Authorisation Check Allows Guest User to Read Security Policy</h3>
<p>A vulnerability in GitLab-EE affecting all versions from 16.2 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows a Guest user to read Security policy YAML.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10925">CVE-2024-10925</a>.</p>
<p>Thanks <a href="https://hackerone.com/yuki_osaki">yuki_osaki</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="planner-role-can-read-code-review-analytics-in-private-projects">Planner role can read code review analytics in private projects</h3>
<p>Improper authorization in GitLab EE affecting all versions from 17.7 prior to 17.7.6, 17.8 prior to 17.8.4, 17.9 prior to 17.9.1 allow users with limited permissions to access potentially sensitive project analytics data.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0307">CVE-2025-0307</a>.</p>
<p>Thanks <a href="https://hackerone.com/weasterhacker">weasterhacker</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1791">17.9.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182032">Backport - Merge branch 'revert-e78b1a9f' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181864">Backport/fix ambiguous pipeline 17 9</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182126">Make it possible for ignore unexpected EOFs in SSL connections</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182179">Allow Duo Chat to be resizable on self-managed (backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182385">Merge branch 'mdc/include-build-assets-image-job-sync-pipelines' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182121">Fix instance level dashboard by default severity override</a></li>
</ul>
<h3 id="1784">17.8.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2233">Bump gitlab-exporter to v15.2.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181136">[Backport] Return false for pending_migrations? if indexing disabled</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181267">Merge branch '10443-fix-workhorse-verify' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181358">Revert stricter workhorse route regexes</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181872">Use primary DB when authenticating via job token in jobs API</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181865">Backport/fix ambiguous pipeline 17 8</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182098">Backport add more custom exit codes for CI/CD failures MRs and fix assets caching in scheduled cache-assets:production job</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181534">Backport fix CH version incompatibility</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182388">Merge branch 'mdc/include-build-assets-image-job-sync-pipelines' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182128">Make it possible for ignore unexpected EOFs in SSL connections</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8187">Update dependency gitlab-exporter to v15.2.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181136">[Backport] Return false for pending_migrations? if indexing disabled</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181267">Merge branch '10443-fix-workhorse-verify' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181358">Revert stricter workhorse route regexes</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181872">Use primary DB when authenticating via job token in jobs API</a></li>
</ul>
<h3 id="1776">17.7.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181268">Merge branch '10443-fix-workhorse-verify' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181359">Revert stricter workhorse route regexes</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182151">Fix failed jobs widget polling issue</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181863">Backport fix for ambiguous created_at</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182104">Backport add more custom exit codes for CI/CD failures MRs and fix assets caching in scheduled cache-assets:production job</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182390">Merge branch 'mdc/include-build-assets-image-job-sync-pipelines' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182129">Make it possible for ignore unexpected EOFs in SSL connections</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181268">Merge branch '10443-fix-workhorse-verify' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181359">Revert stricter workhorse route regexes</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<p>Note: GitLab releases have skipped 17.7.5 and 17.8.3. There are no patches with these version numbers.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.8.2, 17.7.4, 17.6.5https://about.gitlab.com/releases/2025/02/12/patch-release-gitlab-17-8-2-released/2025-02-12T00:00:00+00:002025-02-12T00:00:00+00:00Rohit Shambhuni<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.8.2, 17.7.4, 17.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#a-csp-bypass-xss-in-merge-request-page">A CSP-bypass XSS in merge-request page</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#denial-of-service-due-to-unbounded-symbol-creation">Denial of Service due to Unbounded Symbol Creation</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#exfiltrate-content-from-private-issues-using-prompt-injection">Exfiltrate content from private issues using Prompt Injection</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#internal-http-header-leak-via-route-confusion-in-workhorse">Internal HTTP header leak via route confusion in workhorse</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#ssrf-via-workspaces">SSRF via workspaces</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#unauthorized-incident-closure-and-deletion-by-planner-role-in-gitlab">Unauthorized Incident Closure and Deletion by Planner Role in GitLab</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#actioncable-does-not-invalidate-tokens-after-revocation">ActionCable does not invalidate tokens after revocation</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#a-custom-permission-may-allow-overriding-repository-settings">A custom permission may allow overriding Repository settings</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#saml-authentication-misconfigures-external-user-attribute">SAML Authentication Misconfigures External User Attribute</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="a-csp-bypass-xss-in-merge-request-page">A CSP-bypass XSS in merge-request page</h3>
<p>An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0376">CVE-2025-0376</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-due-to-unbounded-symbol-creation">Denial of Service due to Unbounded Symbol Creation</h3>
<p>A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access Token.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12379">CVE-2024-12379</a>.</p>
<p>Thanks <a href="https://hackerone.com/sim4n6">sim4n6</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="exfiltrate-content-from-private-issues-using-prompt-injection">Exfiltrate content from private issues using Prompt Injection</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3303">CVE-2024-3303</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="internal-http-header-leak-via-route-confusion-in-workhorse">Internal HTTP header leak via route confusion in workhorse</h3>
<p>An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1212">CVE-2025-1212</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/joernchen">Joern Schneeweisz</a>.</p>
<h3 id="ssrf-via-workspaces">SSRF via workspaces</h3>
<p>An external service interaction vulnerability in GitLab EE affecting all versions from 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send requests from the GitLab server to unintended services.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9870">CVE-2024-9870</a>.</p>
<p>Thanks <a href="https://hackerone.com/retr02332">retr02332</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unauthorized-incident-closure-and-deletion-by-planner-role-in-gitlab">Unauthorized Incident Closure and Deletion by Planner Role in GitLab</h3>
<p>Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/#vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0516">CVE-2025-0516</a>.</p>
<p>Thanks <a href="https://hackerone.com/sp4rrow">sp4rrow</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="actioncable-does-not-invalidate-tokens-after-revocation">ActionCable does not invalidate tokens after revocation</h3>
<p>An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/#vector=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N</code></a>, 4.2).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1198">CVE-2025-1198</a>.</p>
<p>This vulnerability has been discovered internally by a GitLab team member <a href="https://gitlab.com/DylanGriffith">Dylan Griffith</a>.</p>
<h3 id="a-custom-permission-may-allow-overriding-repository-settings">A custom permission may allow overriding Repository settings</h3>
<p>An improper access control vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows a user with a custom permission to view contents of a repository even if that access is not authorized.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code></a>, 2.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1042">CVE-2025-1042</a>.</p>
<p>Thanks <a href="https://hackerone.com/mateuszek">mateuszek</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="saml-authentication-misconfigures-external-user-attribute">SAML Authentication Misconfigures External User Attribute</h3>
<p>An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user manually designated as an External without configuring them as such in SAML response to lose that designation, and to read and clone internal projects under certain circumstances. After upgrading to a patched version, please review and re-designate any externals users.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 3.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1540">CVE-2025-1540</a>.</p>
<p>Thanks <a href="https://gitlab.com/unode">Renato Alves</a> for reporting this vulnerability.</p>
<h3 id="mattermost-security-updates-january-22-2025">Mattermost Security Updates January 22, 2025</h3>
<p>Mattermost has been updated to versions 10.2.3, which contains several patches and security fixes.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1782">17.8.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178514">Fix Workhorse failing on 64-bit unaligned access on Raspberry Pi 32-bit</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178575">[Backport] Fixed css bug for command palette file names too long</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178596">Merge branch 'fix-environment-check-user-creation' into '17-8-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178452">17.8: Ensure user external attribute is preserved and not set to nil</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178961">Backporting the bug: Remove feature flag for multiple approvals</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179349">Merge branch 'dattang/do-not-allow-release-environment-to-fail' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179180">Fix Approval widget for project merge request settings</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179527">Enable ai tracking without move_ai_tracking_to_instrumentation_layer flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179948">Add import_vulnerabilities feature flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180252">Update build-gdk-image version</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180216">Backport: Zoekt code search always performs regex search</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180274">Fix storing incorrect policy index in scan_result_policies</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180206">[Backport] Only check pending migrations if indexing enabled</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180306">Updating Duo functionality note</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180237">[backport] Fix command palette keybindings propagation</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180553">Backport into 17.8: Decrease log level of false error</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180783">[Backport] Fix info and list_pending_migration rake tasks if search cluster unreachable</a></li>
</ul>
<h3 id="1774">17.7.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178457">17.7: Ensure user external attribute is preserved and not set to nil</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179058">Merge branch 'fix-environment-check-user-creation' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179350">Merge branch 'dattang/do-not-allow-release-environment-to-fail' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179735">Fixes typo on profiles_controller_spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179933">Add import_vulnerabilities feature flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180305">Updating Duo functionality note</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180574">Backport into 17.7: Decrease log level of false error</a></li>
</ul>
<h3 id="1765">17.6.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2199">Backport internal release support to 17.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178458">17.6: Ensure user external attribute is preserved and not set to nil</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179351">Merge branch 'dattang/do-not-allow-release-environment-to-fail' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179736">Fixes typo on profiles_controller_spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8137">Backport internal release support to 17.6</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.8.1, 17.7.3, 17.6.4https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/2025-01-22T00:00:00+00:002025-01-22T00:00:00+00:00Ottilia Westerlund<p>Today we are releasing versions 17.8.1, 17.7.3, 17.6.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-via-asciidoctor-render">Stored XSS via Asciidoctor render</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#developer-could-exfiltrate-protected-cicd-variables-via-ci-lint">Developer could exfiltrate protected CI/CD variables via CI lint</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cyclic-reference-of-epics-leads-resource-exhaustion">Cyclic reference of epics leads resource exhaustion</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="stored-xss-via-asciidoctor-render">Stored XSS via Asciidoctor render</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0314">CVE-2025-0314</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="developer-could-exfiltrate-protected-cicd-variables-via-ci-lint">Developer could exfiltrate protected CI/CD variables via CI lint</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI/CD variables via CI lint.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N</code></a>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11931">CVE-2024-11931</a>.</p>
<p>This vulnerability was internally discovered and reported by GitLab team member <a href="https://gitlab.com/greg/">Greg Myers</a>.</p>
<h3 id="cyclic-reference-of-epics-leads-resource-exhaustion">Cyclic reference of epics leads resource exhaustion</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.6.4, starting from 17.7 prior to 17.7.3, and starting from 17.8 prior to 17.8.1. It was possible to trigger a DoS by creating cyclic references between epics.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6324">CVE-2024-6324</a>.</p>
<p>Thanks <a href="https://hackerone.com/xorz">xorz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1781">17.8.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/issues/475063">Private profiles showed account creation dates although documentation stated they shouldn't</a></li>
</ul>
<h3 id="1773">17.7.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/issues/475063">Private profiles showed account creation dates although documentation stated they shouldn't</a></li>
</ul>
<h3 id="1764">17.6.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2160">Toolbox: update URLs for AzCopy (upstream change) - 17-6-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/issues/475063">Private profiles showed account creation dates although documentation stated they shouldn't</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-fy26.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.7.1, 17.6.3, 17.5.5https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/2025-01-08T00:00:00+00:002025-01-08T00:00:00+00:00Greg Alfaro<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.7.1, 17.6.3, 17.5.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="changes-to-imports">Changes to Imports</h2>
<p>GitLab released a new user contribution and membership mapping feature for GitLab importers, including Direct Transfer, GitHub, Bitbucket Server, and Gitea importers. This feature is available by default from GitLab 17.7.1. More information on the feature and availability can be found in a <a href="https://about.gitlab.com/blog/streamline-migrations-with-user-contribution-and-membership-mapping/">blog post</a> and in the documentation <a href="https://docs.gitlab.com/ee/user/project/import/index.html#user-contribution-and-membership-mapping">here</a>.</p>
<h3 id="why-gitlab-changed-its-importer-functionality">Why GitLab changed its importer functionality</h3>
<p>Vulnerabilities (<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-5655">CVE-2024-5655</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-6385">CVE-2024-6385</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-6678">CVE-2024-6678</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-8970">CVE-2024-8970</a>) affecting import functionality were discovered through our HackerOne bug bounty program. To address these vulnerabilities and further enhance security, GitLab redesigned the importers’ user contribution mapping functionality.</p>
<h3 id="whats-changing">What’s changing?</h3>
<ol>
<li><strong>Post-import mapping</strong>: Previously unavailable, this feature allows you to assign imported contributions and memberships to users on the destination instance after completing the import. Imported memberships and contributions are first mapped to placeholder users. Until they are reassigned, contributions will be displayed as associated with placeholders.</li>
<li><strong>Email-independent mapping</strong>: The new process doesn't rely on email addresses, allowing you to map contributions for users with different email addresses on source and destination instances.</li>
<li><strong>User control</strong>: Each user on the destination instance assigned a contribution mapping must <a href="https://docs.gitlab.com/ee/user/project/import/#accept-contribution-reassignment">accept the assignment</a> before any imported contributions are attributed to them. They can also <a href="https://docs.gitlab.com/ee/user/project/import/#reject-contribution-reassignment">reject the assignment</a>.</li>
</ol>
<p>Full details describing improved user contribution and membership mapping features are available in the GitLab docs <a href="https://docs.gitlab.com/ee/user/project/import/#user-contribution-and-membership-mapping">here</a>.</p>
<h3 id="guidance-for-gitlab-self-managed--dedicated-customers">Guidance for GitLab Self-Managed & Dedicated Customers</h3>
<ol>
<li>Exploitation requires that an attacker have an authenticated user account on the target GitLab instance. Therefore, the risk is primarily limited to insider threats unless you allow open internet access <strong>and</strong> public registrations.</li>
<li>
<p>GitLab strongly recommends disabling importers until your GitLab instance is upgraded to version 17.7.1 or later. You can disable import features by:</p>
<ol>
<li>Logging in as a GitLab instance administrator user</li>
<li>Go to Admin > Settings > General > Import and Export settings</li>
<li>Uncheck the box next to each enabled importer</li>
<li>Click Save Changes</li>
</ol>
</li>
<li>If you must enable an importer, GitLab recommends temporarily enabling it during an import and disabling the feature after the import is complete.</li>
<li>GitLab Self-Managed with Direct Transfer (beta feature) or GitHub, Bitbucket Server, or Gitea importers enabled may be vulnerable and should be upgraded immediately.</li>
</ol>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#possible-access-token-exposure-in-gitlab-logs">Possible access token exposure in GitLab logs</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cyclic-reference-of-epics-leads-resource-exhaustion">Cyclic reference of epics leads resource exhaustion</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#unauthorized-user-can-manipulate-status-of-issues-in-public-projects">Unauthorized user can manipulate status of issues in public projects</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#instance-saml-does-not-respect-external_provider-configuration">Instance SAML does not respect <code>external_provider</code> configuration</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="possible-access-token-exposure-in-gitlab-logs">Possible access token exposure in GitLab logs</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific manner.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0194">CVE-2025-0194</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/tkuah">Thong Kuah</a>.</p>
<h3 id="cyclic-reference-of-epics-leads-resource-exhaustion">Cyclic reference of epics leads resource exhaustion</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6324">CVE-2024-6324</a>.</p>
<p>Thanks <a href="https://hackerone.com/xorz">xorz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unauthorized-user-can-manipulate-status-of-issues-in-public-projects">Unauthorized user can manipulate status of issues in public projects</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12431">CVE-2024-12431</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="instance-saml-does-not-respect-external_provider-configuration">Instance SAML does not respect <code>external_provider</code> configuration</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13041">CVE-2024-13041</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/dblessing">Drew Blessing</a>.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1771">17.7.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2151">Cherry pick fix for gsutil into '17-7-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7533">backport 17.7.x: Downgrade grpc-go to v1.66.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176091">Backport Revert "Merge branch 'improve_reference_rewriter_to_work_cross_groups' into 'master'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176128">17.7 Backport Reject system notes when indexing notes on work items</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176577">Merge branch 'andrey-fix-qa-spec' into 17.7</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176356">Merge branch 'release-unique-users' into 17.7</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176507">Fix CI job token signing key not always generated</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176508">Update acme-client to v2.0.19</a></li>
</ul>
<h3 id="1763">17.6.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2125">Cherry pick '2125-base-force-upgrade-ubi' into '17-6-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2152">Cherry pick fix for gsutil into '17-6-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7535">backport 17.6.x: Downgrade grpc-go to v1.66.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175367">Backport Advanced Search: Set engine for OpenSearch indices</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175272">17.6: Fix ability to use password for Git when password for Web is disabled</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175307">Backport running release-environments QA from the stable branch to 17.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175596">Backport 'fix-env-var-for-release-environments-qa' 17.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175859">Backport 'dattang/fix-build-gdk-image-script' to 17.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175657">Backport fix for diff_files highlights preload to 17.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176514">Quarantines iteration qa spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176738">Quarantine outdated user_views_iteration_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176754">Quarantine date sensitive specs 17.6</a></li>
</ul>
<h3 id="1755">17.5.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2126">Cherry pick '2125-base-force-upgrade-ubi' into '17-5-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2153">Cherry pick fix for gsutil into '17-5-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7536">backport 17.5.x: Update changelog for 17.5.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175308">Backport running release-environments QA from the stable branch to 17.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175364">Backport 'dattang/allow-release-environments-to-fail' to 17.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175733">Backport fix for diff_files highlights preload to 17.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175858">Backport 'dattang/fix-build-gdk-image-script' to 17.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176596">Quarantines iteration qa spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176739">Quarantine outdated user_views_iteration_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176753">Quarantine date sensitive specs 17.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176568">bump devfile gem to 0.0.28 patch</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175274">17.5: Fix ability to use password for Git when password for Web is disabled</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.6.2, 17.5.4, 17.4.6https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/2024-12-11T00:00:00+00:002024-12-11T00:00:00+00:00Costel Maxim<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.6.2, 17.5.4, 17.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#injection-of-network-error-logging-nel-headers-in-kubernetes-proxy-response-could-lead-to-ato-abusing-oauth-flows">Injection of Network Error Logging (NEL) headers in kubernetes proxy response could lead to account takeover abusing OAuth flows</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#denial-of-service-by-repeatedly-sending-unauthenticated-requests-for-diff-files">Denial of Service by repeatedly sending unauthenticated requests for diff-files</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#ci_job_token-could-be-used-to-obtain-gitlab-session">CI_JOB_TOKEN could be used to obtain GitLab session</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#open-redirect-in-releases-api">Open redirect in releases API</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#client-side-path-traversal-in-harbor-artifact-links">Client-Side Path Traversal in Harbor artifact links</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#html-injection-in-vulnerability-details-could-lead-to-cross-site-scripting">HTML injection in vulnerability details could lead to Cross Site Scripting</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#leak-branch-names-of-projects-with-confidential-repository">Leak branch names of projects with confidential repository</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#non-member-can-view-unresolved-threads-marked-as-internal-notes">Non member can view unresolved threads marked as internal notes</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#uncontrolled-resource-consumption-through-a-maliciously-crafted--file">Uncontrolled Resource Consumption through a maliciously crafted file</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#certain-sensitive-information-passed-as-literals-inside-graphql-mutations-retained-in-graphql-logs">Certain sensitive information passed as literals inside GraphQL mutations retained in GraphQL logs</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#information-disclosure-of-confidential-incidents-details-to-a-group-member-in-gitlab-wiki">Information disclosure of confidential incidents details to a group member in Gitlab Wiki</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#domain-confusion-in-gitlab-pages-unique-domain-implementation">Domain Confusion in GitLab Pages Unique Domain Implementation</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="injection-of-network-error-logging-nel-headers-in-kubernetes-proxy-response-could-lead-to-ato-abusing-oauth-flows">Injection of Network Error Logging (NEL) headers in kubernetes proxy response could lead to ATO abusing OAuth flows</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 before 17.4.6, starting from 17.5 before 17.5.4, and starting from 17.6 before 17.6.2, injection of Network Error Logging (NEL) headers in kubernetes proxy response could lead to session data exfiltration.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11274">CVE-2024-11274</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-by-repeatedly-sending-unauthenticated-requests-for-diff-files">Denial of Service by repeatedly sending unauthenticated requests for diff-files</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>, 7.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8233">CVE-2024-8233</a>.</p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ci_job_token-could-be-used-to-obtain-gitlab-session">CI_JOB_TOKEN could be used to obtain GitLab session</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 17.4.6, from 17.5 before 17.5.4, and from 17.6 before 17.6.2. It may have been possible for an attacker with a victim's <code>CI_JOB_TOKEN</code> to obtain a GitLab session token belonging to the victim.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L</code></a>, 6.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12570">CVE-2024-12570</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="open-redirect-in-releases-api">Open redirect in releases API</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9387">CVE-2024-9387</a>.</p>
<p>Thanks <a href="https://hackerone.com/swiftee">swiftee</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="client-side-path-traversal-in-harbor-artifact-links">Client-Side Path Traversal in Harbor artifact links</h3>
<p>An issue was discovered in GitLab affecting all versions starting 15.2 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. On self hosted installs, it was possible to leak the cross site request forgery (CSRF) token to an external site while the Harbor integration was enabled.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code></a>, 5.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8647">CVE-2024-8647</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="html-injection-in-vulnerability-details-could-lead-to-cross-site-scripting">HTML injection in vulnerability details could lead to Cross Site Scripting</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to Cross Site Scripting (XSS) if Content Security Policy (CSP) is not enabled.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code></a>, 5.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8179">CVE-2024-8179</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="leak-branch-names-of-projects-with-confidential-repository">Leak branch names of projects with confidential repository</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorised user can retrieve branch names.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8116">CVE-2024-8116</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="non-member-can-view-unresolved-threads-marked-as-internal-notes">Non member can view unresolved threads marked as internal notes</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions from 15.0 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8650">CVE-2024-8650</a>.</p>
<p>Thanks <a href="https://hackerone.com/salh4ckr">salh4ckr</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="uncontrolled-resource-consumption-through-a-maliciously-crafted--file">Uncontrolled Resource Consumption through a maliciously crafted file</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled resource consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9367">CVE-2024-9367</a>.</p>
<p>Thanks <a href="https://hackerone.com/l33thaxor">l33thaxor</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="certain-sensitive-information-passed-as-literals-inside-graphql-mutations-retained-in-graphql-logs">Certain sensitive information passed as literals inside GraphQL mutations retained in GraphQL logs</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 before 17.4.6, starting from 17.5 before 17.5.4, and starting from 17.6 before 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.0).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12292">CVE-2024-12292</a>.</p>
<p>This issue was discovered internally by GitLab team member <a href="https://gitlab.com/radbatnag">Radamanthus Batnag</a>.</p>
<h3 id="information-disclosure-of-confidential-incidents-details-to-a-group-member-in-gitlab-wiki">Information disclosure of confidential incidents details to a group member in Gitlab Wiki</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 3.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10043">CVE-2024-10043</a>.</p>
<p>Thanks <a href="https://hackerone.com/mateuszek">mateuszek</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="domain-confusion-in-gitlab-pages-unique-domain-implementation">Domain Confusion in GitLab Pages Unique Domain Implementation</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. This issue allows an attacker to create a group with a name matching an existing unique Pages domain, potentially leading to domain confusion attacks.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 3.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9633">CVE-2024-9633</a>.</p>
<p>Thanks <a href="https://hackerone.com/psycho_012">psycho_012</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1762">17.6.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2120">Upgrade to Postgres 16.6 for client libraries, openssl 3.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173193">Fix 401 errors when installing the GitLab for Jira app</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174008">Backport 'dattang/allow-release-environments-to-fail' to 17.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174254">Backport 'always-build-qa-image-for-release-environments' to 17.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174291">Add guard clause to Wiki#find_page when title is nil</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174583">Merge branch '498768-graphql-subscriptions-ignore-unauthorized-error' into '17-6-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174512">Merge branch 'nd/fix-progressbar-progress' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174700">Backport 17-6 Remove unused matched_lines_count</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174701">Backport Zoekt indices without zoekt_repositories stuck in initializing</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174549">Backport 'Zoekt: Do not process failed repos' into 17.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174214">Bump devfile gem to 0.1.1</a></li>
</ul>
<h3 id="1754">17.5.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2121">Upgrade to Postgres 16.6 for client libraries, openssl 3.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173196">Fix 401 errors when installing the GitLab for Jira app</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174255">Backport 'always-build-qa-image-for-release-environments' to 17.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174581">Merge branch '498768-graphql-subscriptions-ignore-unauthorized-error' into '17-5-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171140">Backport https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170141 into 17.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175190">Quarantine Custom model features specs</a></li>
</ul>
<h3 id="1746">17.4.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2122">Upgrade to Postgres 16.6 for client libraries, openssl 3.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173428">Add param filtering to avoid error while saving project settings</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173197">Fix 401 errors when installing the GitLab for Jira app</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174256">Backport 'always-build-qa-image-for-release-environments' to 17.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174756">Backport fix for flaky tests in search_results spec</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5https://about.gitlab.com/releases/2024/11/26/patch-release-gitlab-17-6-1-released/2024-11-26T00:00:00+00:002024-11-26T00:00:00+00:00Ottilia Westerlund<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.6.1, 17.5.3, 17.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#privilege-escalation-via-lfs-tokens">Privilege Escalation via LFS Tokens</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#dos-through-uncontrolled-resource-consumption-when-viewing-a-maliciously-crafted-cargotoml-file">DoS through uncontrolled resource consumption when viewing a maliciously crafted cargo.toml file.</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#unintended-access-to-usage-data-via-scoped-tokens">Unintended access to Usage Data via Scoped Tokens</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#gitlab-dos-via-harbor-registry-integration">Gitlab DOS via Harbor registry integration</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#resource-exhaustion-and-denial-of-service-with-test_report-api-calls">Resource exhaustion and denial of service with test_report API calls</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#streaming-endpoint-did-not-invalidate-tokens-after-revocation">Streaming endpoint did not invalidate tokens after revocation</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="privilege-escalation-via-lfs-tokens">Privilege Escalation via LFS Tokens</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N </code></a>, 8.2).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8114">CVE-2024-8114</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="dos-through-uncontrolled-resource-consumption-when-viewing-a-maliciously-crafted-cargotoml-file">DoS through uncontrolled resource consumption when viewing a maliciously crafted cargo.toml file.</h3>
<p>A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8237">CVE-2024-8237</a>.</p>
<p>Thanks <a href="https://hackerone.com/l33thaxor">l33thaxor</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unintended-access-to-usage-data-via-scoped-tokens">Unintended Access to Usage Data via Scoped Tokens</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad application of token scopes.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11669">CVE-2024-11669</a>.</p>
<p>This vulnerability has been discovered internally by a GitLab team member, <a href="https://gitlab.com/DylanGriffith">Dylan Griffith</a>.</p>
<h3 id="gitlab-dos-via-harbor-registry-integration">Gitlab DOS via Harbor registry integration</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8177">CVE-2024-8177</a>.</p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="resource-exhaustion-and-denial-of-service-with-test_report-api-calls">Resource exhaustion and denial of service with test_report API calls</h3>
<p>A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11828">CVE-2024-11828</a>.</p>
<p>Thanks <a href="https://hackerone.com/luryus">luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="streaming-endpoint-did-not-invalidate-tokens-after-revocation">Streaming endpoint did not invalidate tokens after revocation</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N</code></a>, 4.2).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11668">CVE-2024-11668</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team members, <a href="https://gitlab.com/DylanGriffith">Dylan Griffith</a> and <a href="https://gitlab.com/engwan">Heinrich Lee Yu</a>.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1761">17.6.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173427">Revert "Merge branch 'include-sec-in-sidekiq-worker-attributes-concern' into 'master'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173288">Revert "Merge branch '421376-part-1-move-history-button' into 'master'"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173464">Backport to 17.6 the fix for sbom ingestion failure when license spdx id is nil</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173593">Cherry-pick 'jennli-patch-compile-prod-assets-rules' into 17-6-stable-ee</a></li>
</ul>
<h3 id="1753">17.5.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172339">Disable http router in tests</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171715">Ensure auto_merge_enabled is set when validating merge trains</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172391">Backport Index work items when project visibility level changes</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172767">Backport fix for token revocation to 17.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172871">Backport Publish AuthorizationsAddedEvent with multiple projects</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173185">Make assertion order independent</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173594">Cherry-pick 'jennli-patch-compile-prod-assets-rules' into 17-5-stable-ee</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/2024-11-13T00:00:00+00:002024-11-13T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.5.2, 17.4.4, 17.3.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#unauthorized-access-to-kubernetes-cluster-agent">Unauthorized access to Kubernetes cluster agent</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#device-oauth-flow-allows-for-cross-window-forgery">Device OAuth flow allows for cross window forgery</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-by-importing-malicious-crafted-fogbugz-import-payload">Denial of Service by importing malicious crafted FogBugz import payload</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#stored-xss-through-javascript-url-in-analytics-dashboards">Stored XSS through javascript URL in Analytics dashboards</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#html-injection-in-vulnerability-code-flow-could-lead-to-xss-on-self-hosted-instances">HTML injection in vulnerability Code flow could lead to XSS on self hosted instances</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#information-disclosure-through-an-api-endpoint">Information disclosure through an API endpoint</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="unauthorized-access-to-kubernetes-cluster-agent">Unauthorized access to Kubernetes cluster agent</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H</code></a>, 8.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9693">CVE-2024-9693</a>.</p>
<p>This vulnerability was found internally by a GitLab team member <a href="https://gitlab.com/tigerwnz">Tiger Watson</a>.</p>
<h3 id="device-oauth-flow-allows-for-cross-window-forgery">Device OAuth flow allows for cross window forgery</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.8).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7404">CVE-2024-7404</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-by-importing-malicious-crafted-fogbugz-import-payload">Denial of Service by importing malicious crafted FogBugz import payload</h3>
<p>A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="stored-xss-through-javascript-url-in-analytics-dashboards">Stored XSS through javascript URL in Analytics dashboards</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code></a>, 6.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8648">CVE-2024-8648</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="html-injection-in-vulnerability-code-flow-could-lead-to-xss-on-self-hosted-instances">HTML injection in vulnerability Code flow could lead to XSS on self hosted instances</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code></a>, 5.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8180">CVE-2024-8180</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="information-disclosure-through-an-api-endpoint">Information disclosure through an API endpoint</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10240">CVE-2024-10240</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/patrickbajao">Patrick Bajao</a>.</p>
<h3 id="mattermost-security-updates-october-28-2024">Mattermost Security Updates October 28, 2024</h3>
<p>Mattermost has been updated to versions 10.1.2, which contains several patches and security fixes.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1752">17.5.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170051">Security patch upgrade alert: Only expose to admins 17-5</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170814">[backport] Add epic to the scope and fix the flaky spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170641">[Backport] Fix indexing subgroup associations</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170777">Skip creating tables as partitions if any partition exists</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170058">Add knn index setting for workitem index for opensearch clusters</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169904">[Backport]Fix new project group templates pagination</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170981">Update pdf worker file path in pdf viewer</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170961">[backport] Fix issue label facet can overwrite selected labels</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171634">Fix workitem job in 17-5-stable-ee branch</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171703">[Backport] Go-get: return 404 error code when personal token is invalid</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171554">Add param filtering to avoid error while saving project settings</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171926">Skip multi-version upgrade migration spec on default branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171891">Fix group wiki activity events breaking the user feed</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172133">Destroy merge train car after branch deletion</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171585">Backport: Remove permissions JSONB column from the condition</a></li>
</ul>
<h3 id="1744">17.4.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7400">Backport fix for incorrect error classification to 17.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7414">Backport 17-4: Update GoCloud to a version that supports s3ForcePathStyle</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170209">Use dump from 17.3.5 since 17.3 is the previous required stop</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170055">Security patch upgrade alert: Only expose to admins 17-4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171630">Fix workitem job in 17-4-stable-ee branch</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171784">Don't run e2e:test-product-analytics</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171736">Ensure auto_merge_enabled is set when validating merge trains</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172134">Destroy merge train car after branch deletion</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172135">Fix broken merge train merge when target branch deleted</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171586">Backport: Remove permissions JSONB column from the condition</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170978">Update pdf worker file path in pdf viewer</a></li>
</ul>
<h3 id="1737">17.3.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7396">Backport dragonboat's file permission error to 17.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170208">Use dump from 16.11.8 since 16.11 is the previous required stop</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171632">Fix workitem job in 17-3-stable-ee branch</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.5.1, 17.4.3, 17.3.6https://about.gitlab.com/releases/2024/10/23/patch-release-gitlab-17-5-1-released/2024-10-23T00:00:00+00:002024-10-23T00:00:00+00:00Kevin Morrison<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.5.1, 17.4.3, 17.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#html-injection-in-global-search-may-lead-to-xss">HTML injection in Global Search may lead to XSS</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#dos-via-xml-manifest-file-import">DoS via XML manifest file import</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="html-injection-in-global-search-may-lead-to-xss">HTML injection in Global Search may lead to XSS</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8312">CVE-2024-8312</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="dos-via-xml-manifest-file-import">DoS via XML manifest file import</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6826">CVE-2024-6826</a>.</p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="update-regarding-helm-charts-devkit-and-analytics-stack">Update regarding helm charts, devkit and analytics stack</h3>
<p><code>Helm charts</code>, <code>devkit</code> and <code>analytics stack</code> have been patched to no longer support dynamic funnels.</p>
<h3 id="bump-ingress-nginx-controller-image-to-1112">Bump Ingress NGINX Controller image to 1.11.2</h3>
<p>The GitLab chart bundles a forked Ingress NGINX Controller subchart. We've updated its image version to 1.11.2.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1751">17.5.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170051">Security patch upgrade alert: Only expose to admins</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7995">Backport: Ensure postgresql_new is included in GitLab CE</a></li>
</ul>
<h3 id="1743">17.4.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2058">Resolve "UBI FIPS: Error in bashrc due to hardening script" (17.4)</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2044">Backport: fix: Allow non-root user to run the bundle-certificates script 17.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7351">Backport gocloud.dev update to 17.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7362">Backport bundle fetch fsck fix to 17.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168691">Backport Stable Branch Danger Checks to 17-4-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168669">Add version to pdf.js file in webpack builds</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168793">Backport: Skip rspec fail-fast jobs if pipeline:skip-rspec-fail-fast label is set</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168569">Backport fix Zoekt global code search</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168776">Set author on issuable to current user if it is not already set</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169190">Backport LabKit v1.21.2 update to fix broken dependency</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169625">Fix broken duo chat spec after free access cutoff [17.4]</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7998">Backport: Ensure postgresql_new is included in GitLab CE</a></li>
</ul>
<h3 id="1736">17.3.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2057">Resolve "UBI FIPS: Error in bashrc due to hardening script" (17.3)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7339">Backport CreateRepositoryFromURL error handling to 17.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168938">Set author on issuable to current user if it is not already set</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169627">Fix broken duo chat spec after free access cutoff [17.3]</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168818">Backport Stable Branch Danger Checks to 17-3-stable-ee</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/2024-10-09T00:00:00+00:002024-10-09T00:00:00+00:00Nikhil George<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. <strong>GitLab Dedicated customers do not need to take action.</strong></p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#run-pipelines-on-arbitrary-branches">Run pipelines on arbitrary branches</a></td>
<td>Critical</td>
</tr>
<tr>
<td><a href="#an-attacker-can-impersonate-arbitrary-user">An attacker can impersonate arbitrary user</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#ssrf-in-analytics-dashboard">SSRF in Analytics Dashboard</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#viewing-diffs-of-mr-with-conflicts-can-be-slow">Viewing diffs of MR with conflicts can be slow</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#htmli-in--oauth-page">HTMLi in OAuth page</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#deploy-keys-can-push-changes-to-an-archived-repository">Deploy Keys can push changes to an archived repository</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#guests-can-disclose-project-templates">Guests can disclose project templates</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#gitlab-instance-version-disclosed-to-unauthorized-users">GitLab instance version disclosed to unauthorized users</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="run-pipelines-on-arbitrary-branches">Run pipelines on arbitrary branches</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
This is a critical severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code></a>, 9.6).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9164">CVE-2024-9164</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="an-attacker-can-impersonate-arbitrary-user">An attacker can impersonate arbitrary user</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code></a>, 8.2).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8970">CVE-2024-8970</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ssrf-in-analytics-dashboard">SSRF in Analytics Dashboard</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code></a>, 8.2).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8977">CVE-2024-8977</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="viewing-diffs-of-mr-with-conflicts-can-be-slow">Viewing diffs of MR with conflicts can be slow</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, were viewing diffs of MR with conflicts can be slow. This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9631">CVE-2024-9631</a>.</p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="htmli-in-oauth-page">HTMLi in OAuth page</h3>
<p>A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When authorising a new application, it can be made to render as HTML under specific circumstances.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 7.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6530">CVE-2024-6530</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="deploy-keys-can-push-changes-to-an-archived-repository">Deploy Keys can push changes to an archived repository</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code></a>, 4.9).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9623">CVE-2024-9623</a>.</p>
<p>Thanks <a href="https://gitlab.com/stevenorman">stevenorman</a> for reporting this vulnerability.</p>
<h3 id="guests-can-disclose-project-templates">Guests can disclose project templates</h3>
<p>An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5005">CVE-2024-5005</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="gitlab-instance-version-disclosed-to-unauthorized-users">GitLab instance version disclosed to unauthorized users</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 3.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9596">CVE-2024-9596</a>.</p>
<p>This issue was discovered internally by GitLab team member <a href="https://gitlab.com/pgascouvaillancourt">Paul Gascou-Vaillancourt</a>.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1742">17.4.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2041">Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-4-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7323">Backport grpc-go v1.67.1 upgrade to 17.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167033">Update expected vulnerability in enable_advanced_sast_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166877">Skip multi-version upgrade job for stable branch MRs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168099">Backport 17.4 Fix label filter by name for search</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168238">Restrict duo pro assignment email to duo pro for sm</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168156">Drop project_id not null constraint ci_deleted_objects</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167937">[Backport] Go-get: fix 401 error for unauthenticated requests</a></li>
</ul>
<h3 id="1735">17.3.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2042">Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-3-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2045">Backport: fix: Allow non-root user to run the bundle-certificates script 17.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166881">Skip multi-version upgrade job for stable branch MRs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168015">Ensure restricted visibility levels is an array - 17.3 backport</a></li>
</ul>
<h3 id="1729">17.2.9</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166883">Skip multi-version upgrade job for stable branch MRs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168016">Ensure restricted visibility levels is an array - 17.2 backport</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.4.1, 17.3.4, 17.2.8https://about.gitlab.com/releases/2024/09/25/patch-release-gitlab-17-4-1-released/2024-09-25T00:00:00+00:002024-09-25T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.4.1, 17.3.4, 17.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below be <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#maintainer-can-leak-dependency-proxy-password-by-changing-dependency-proxy-url-via-crafted-post-request">Maintainer can leak Dependency Proxy password by changing Dependency Proxy URL via crafted POST request</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#ai-feature-reads-unsanitized-content-allowing-for-attacker-to-hide-prompt-injection">AI feature reads unsanitized content, allowing for attacker to hide prompt injection</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#project-reference-can-be-exposed-in-system-notes">Project reference can be exposed in system notes</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="maintainer-can-leak-dependency-proxy-password-by-changing-dependency-proxy-url-via-crafted-post-request">Maintainer can leak Dependency Proxy password by changing Dependency Proxy URL via crafted POST request</h3>
<p>An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting via a POST request.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code></a>, 5.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4278">CVE-2024-4278</a>.</p>
<p>Thanks <a href="https://hackerone.com/ac7n0w">ac7n0w</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ai-feature-reads-unsanitized-content-allowing-for-attacker-to-hide-prompt-injection">AI feature reads unsanitized content, allowing for attacker to hide prompt injection</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could've allowed an attacker to hide prompt injection.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N</code></a>, 3.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4099">CVE-2024-4099</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="project-reference-can-be-exposed-in-system-notes">Project reference can be exposed in system notes</h3>
<p>An information disclosure issue has been discovered in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1. In specific conditions it was possible to disclose the path of a private project to an unauthorized user.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code></a>, 2.6).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8974">CVE-2024-8974</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/leipert">Lukas Eipert</a>.</p>
<h3 id="mattermost-security-updates-august-27-2024">Mattermost Security Updates August 27, 2024</h3>
<p>Mattermost has been updated to version 9.11.1, which contains several patches and security fixes.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1741">17.4.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166427">Improve OpenSSL callout message</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166564">Change urgency of API project/:id/share to <code>low</code></a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166363">Check commit message for issue close pattern setting</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166540">Backport: Fixes issues with incorrectly displaying VR button</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166694">Backport 'Fix incorrect gitlab-shell-check filename' into 17.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166933">Update OpenSSL v3 callout to delay update to GitLab 17.7</a></li>
</ul>
<h3 id="1734">17.3.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166181">Improve OpenSSL callout message</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166302">Fix Code Review AI features policies to check duo features enabled toggle</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166934">Update OpenSSL v3 callout to delay update to GitLab 17.7</a></li>
</ul>
<h3 id="1728">17.2.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166183">Improve OpenSSL callout message</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166935">Update OpenSSL v3 callout to delay update to GitLab 17.7</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Patch Release: 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, 16.0.10https://about.gitlab.com/releases/2024/09/25/patch-release-gitlab-16-10-10-released/2024-09-25T00:00:00+00:002024-09-25T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, and 16.0.10 for GitLab Community Edition (CE) and Enterprise Edition (EE). This extends the security fixes previously added to 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10.</p>
<p>These versions contain backports of an important security fix which was previously <a href="https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/">released for GitLab versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10</a>.
We strongly recommend that all affected self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<p>Special thanks goes to Roger Meier (@bufferoverflow) who originally created the merge request in Canonical.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issue described below be <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#saml-authentication-bypass">SAML authentication bypass</a></td>
<td>Critical</td>
</tr>
</tbody>
</table>
<h3 id="saml-authentication-bypass">SAML authentication bypass</h3>
<p>Updates dependencies <code>omniauth-saml</code> to version 2.2.1 and <code>ruby-saml</code> to 1.17.0 to mitigate <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45409">CVE-2024-45409</a>. This security vulnerability applies only to instances which
have configured SAML based authentication.</p>
<h4 id="self-managed-gitlab-known-mitigations">Self Managed GitLab: Known Mitigations</h4>
<p>The following mitigation for self-managed GitLab installations prevents successful exploitation of <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45409">CVE-2024-45409</a>:</p>
<ol>
<li>Enable GitLab <a href="https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html">two-factor authentication</a> for <a href="https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users">all user accounts</a> on the GitLab self-managed instance (NOTE: Enabling identity provider multi-factor authentication does not mitigate this vulnerability) <strong>and</strong></li>
<li>Do not allow the <a href="https://docs.gitlab.com/ee/integration/saml.html#bypass-two-factor-authentication">SAML two-factor bypass</a> option in GitLab.</li>
</ol>
<h4 id="self-managed-gitlab-identifying--detecting-exploitation-attempts">Self Managed GitLab: Identifying & Detecting Exploitation Attempts</h4>
<p>Evidence of attempted or successful exploitation of Ruby-SAML (<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45409">CVE-2024-45409</a>) will be present in the GitLab <a href="https://docs.gitlab.com/ee/administration/logs/#application_jsonlog">application_json</a> and <a href="https://docs.gitlab.com/ee/administration/logs/#auth_jsonlog">auth_json</a> log files.</p>
<h5 id="unsuccessful-exploit-attempt---hunting">Unsuccessful Exploit Attempt - Hunting</h5>
<p>Unsuccessful exploitation attempts may generate a <code>ValidationError</code> from the <code>RubySaml</code> library. This could be for a variety of reasons related to the complexity of crafting a working exploit.</p>
<p>Two examples are shown below, but the error may manifest with other descriptions. The common string to search for is <code>RubySaml::ValidationError</code> inside the application_json log.</p>
<ol>
<li>Invalid ticket due to incorrect callback URL
<ol>
<li>Example log event:</li>
<li><code>{"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}</code></li>
</ol>
</li>
<li>Invalid ticket due to a certificate signing issue
<ol>
<li>Example log event:</li>
<li><code>"message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"</code></li>
</ol>
</li>
</ol>
<h5 id="successful-exploitation---hunting">Successful Exploitation - Hunting</h5>
<p>Successful exploitation attempts will trigger SAML related log events. However, there may be differences that make an exploit attempt unique from legitimate SAML authentication events.</p>
<p>A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation. Therefore, identifying a unique extern_uid that is not common in your organization could be an indicator of potential exploitation.</p>
<ol>
<li>Example exploit authentication event in the application_json log file, with a extern_id set in exploit PoC code:
<ol>
<li>Log event:</li>
<li><code>{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}</code></li>
</ol>
</li>
</ol>
<p>When crafting an exploit, there are many <a href="https://docs.gitlab.com/ee/integration/saml.html#configure-assertions">SAML assertions</a> an attacker would need to craft to perfectly replicate a legitimate login. These include both the key and value fields that you specify at your IdP, and may be unknown to unauthorized individuals - especially if you have customized these attributes.</p>
<p>You can review your auth_json log file to look for SAML responses with incorrect or missing information in the <code>attributes</code> section.</p>
<ol>
<li>Example of a SAML authentication event in the auth_json log file.
<ol>
<li><code>"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","payload_type":"saml_response": {"issuer": ["xxx"],"name_id": "xxx","name_id_format": "xxx","name_id_spnamequalifier": null,"name_id_namequalifier": null,"destination": "xxx","audiences": ["xxx"],"attributes": {"first_name": ["xxx"],"last_name": ["yyy"], "email": ["zzz"]}}</code></li>
</ol>
</li>
</ol>
<h5 id="detecting-exploitation-attempts">Detecting Exploitation Attempts</h5>
<p>For self managed customers forwarding GitLab application_json logs to a SIEM, creating detections to detect Ruby-SAML (<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45409">CVE-2024-45409</a>) exploitation attempts is possible. Our team is sharing two threat detections rules, written in Sigma format, to detect potential exploitation.</p>
<p><strong>Note:</strong> These detections may need to be tuned and modified to customer environments in order to deliver effective results, and due to varying configurations of different customer environments, customers should validate the legitimacy and accuracy of any events identified by these detections.</p>
<h5 id="users-with-more-than-1-unique-extern_uid-over-time">Users with more than 1 unique extern_uid over time</h5>
<p>This detection is designed to identify an authenticated SAML user with more than one extern_uid values linked to authentication events, a potential indication of malicious authentications with an attacker set extern_uid field.</p>
<div class="highlight"><pre class="highlight plaintext"><code>title: Multiple extern_ids
description: Detects when their are multiple extern_id's associated with a user.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: "*/10 * * * *"
pseudocode: |
select log source application.log
where 7d < event_time < now()
where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml"
regex(message, "saving user (?<user_email>\S+) .*extern_uid \S+ (?<extern_id>[\S]+)")
count extern_id by user_email as total_extern_ids
where total_extern_ids > 1
verify: Review Gitlab application logs for the source IP of the SAML authentications. If there is a singular IP for all extern_ids this could point to a false positive. Cross reference the SAML authentication source IP/s with the known user's IP from sso authentication logs.
tuning: N/A
</code></pre></div>
<h5 id="gitlab-saml-authentication-from-a-different-ip-address-than-other-idp-events-for-the-same-user-over-time">GitLab SAML authentication from a different IP address than other iDP events for the same user over time</h5>
<p>This detection is designed to correlate authentication events, grouped by user, against both GitLab SAML authentication events as well as other iDP authentication events in an effort to identify any change in user IP address, which could be an indication of attacker authentication sessions.</p>
<div class="highlight"><pre class="highlight plaintext"><code>title: Gitlab SAML IP differs from SSO IP
description: Detects when the source IP for the SAML authentication to Gitlab from application.log differs from the users known IP from SSO MFA logs.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: "*/10 * * * *"
pseudocode: |
select log source application.log
where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml"
regex(message, "saving user (?<user_email>\S+) ")
#Create sub-query to bring in table from SSO authentication data
select meta_remote_ip, user_email
where user_email in
(
select log source authentication
where 1d < event_time < now()
where event_type="user.authentication.auth_via_mfa"
group by user_email, sso_source_ip
)
where sso_source_ip!=meta_remote_ip
verify: False positives can arise when the user is traveling. Review SSO authentication logs to see if the geo-location is similar to the SAML authentication to Gitlab. If any discrepancies are found, reach out to the user for verification. If the user is not traveling, temporarily lock the user's Gitlab account and review their activity through Gitlab's application logs.
tuning: If the query is producing high false positives, consider using geolocation functions on IPs to compare the cities and countries that are generating the authentications.
</code></pre></div>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/2024-09-17T00:00:00+00:002024-09-17T00:00:00+00:00Rohit Shambhuni<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p><strong>All GitLab Dedicated instances have been upgraded and customers do not need to take action.</strong></p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<p>Version 17.2.6 has been used to remediate GitLab Dedicated and hasn't been made public. Version 17.2.7 contains identical changes.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#saml-authentication-bypass">SAML authentication bypass</a></td>
<td>Critical</td>
</tr>
</tbody>
</table>
<h3 id="saml-authentication-bypass">SAML authentication bypass</h3>
<p>Updates dependencies <code>omniauth-saml</code> to version 2.2.1 and <code>ruby-saml</code> to 1.17.0 to mitigate <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45409">CVE-2024-45409</a>. This security vulnerability applies only to instances which
have configured SAML based authentication.</p>
<h4 id="self-managed-gitlab-known-mitigations">Self Managed GitLab: Known Mitigations</h4>
<p>The following mitigation for self-managed GitLab installations prevents successful exploitation of <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45409">CVE-2024-45409</a>:</p>
<ol>
<li>Enable GitLab <a href="https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html">two-factor authentication</a> for <a href="https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users">all user accounts</a> on the GitLab self-managed instance (NOTE: Enabling identity provider multi-factor authentication does not mitigate this vulnerability) <strong>and</strong></li>
<li>Do not allow the <a href="https://docs.gitlab.com/ee/integration/saml.html#bypass-two-factor-authentication">SAML two-factor bypass</a> option in GitLab.</li>
</ol>
<h4 id="self-managed-gitlab-identifying--detecting-exploitation-attempts">Self Managed GitLab: Identifying & Detecting Exploitation Attempts</h4>
<p>Evidence of attempted or successful exploitation of Ruby-SAML (<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45409">CVE-2024-45409</a>) will be present in the GitLab <a href="https://docs.gitlab.com/ee/administration/logs/#application_jsonlog">application_json</a> and <a href="https://docs.gitlab.com/ee/administration/logs/#auth_jsonlog">auth_json</a> log files.</p>
<h5 id="unsuccessful-exploit-attempt---hunting">Unsuccessful Exploit Attempt - Hunting</h5>
<p>Unsuccessful exploitation attempts may generate a <code>ValidationError</code> from the <code>RubySaml</code> library. This could be for a variety of reasons related to the complexity of crafting a working exploit.</p>
<p>Two examples are shown below, but the error may manifest with other descriptions. The common string to search for is <code>RubySaml::ValidationError</code> inside the application_json log.</p>
<ol>
<li>Invalid ticket due to incorrect callback URL
<ol>
<li>Example log event:</li>
<li><code>{"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}</code></li>
</ol>
</li>
<li>Invalid ticket due to a certificate signing issue
<ol>
<li>Example log event:</li>
<li><code>"message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"</code></li>
</ol>
</li>
</ol>
<h5 id="successful-exploitation---hunting">Successful Exploitation - Hunting</h5>
<p>Successful exploitation attempts will trigger SAML related log events. However, there may be differences that make an exploit attempt unique from legitimate SAML authentication events.</p>
<p>A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation. Therefore, identifying a unique extern_uid that is not common in your organization could be an indicator of potential exploitation.</p>
<ol>
<li>Example exploit authentication event in the application_json log file, with a extern_id set in exploit PoC code:
<ol>
<li>Log event:</li>
<li><code>{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}</code></li>
</ol>
</li>
</ol>
<p>When crafting an exploit, there are many <a href="https://docs.gitlab.com/ee/integration/saml.html#configure-assertions">SAML assertions</a> an attacker would need to craft to perfectly replicate a legitimate login. These include both the key and value fields that you specify at your IdP, and may be unknown to unauthorized individuals - especially if you have customized these attributes.</p>
<p>You can review your auth_json log file to look for SAML responses with incorrect or missing information in the <code>attributes</code> section.</p>
<ol>
<li>Example of a SAML authentication event in the auth_json log file.
<ol>
<li><code>"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","payload_type":"saml_response": {"issuer": ["xxx"],"name_id": "xxx","name_id_format": "xxx","name_id_spnamequalifier": null,"name_id_namequalifier": null,"destination": "xxx","audiences": ["xxx"],"attributes": {"first_name": ["xxx"],"last_name": ["yyy"], "email": ["zzz"]}}</code></li>
</ol>
</li>
</ol>
<h5 id="detecting-exploitation-attempts">Detecting Exploitation Attempts</h5>
<p>For self managed customers forwarding GitLab application_json logs to a SIEM, creating detections to detect Ruby-SAML (<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45409">CVE-2024-45409</a>) exploitation attempts is possible. Our team is sharing two threat detections rules, written in Sigma format, to detect potential exploitation.</p>
<p><strong>Note:</strong> These detections may need to be tuned and modified to customer environments in order to deliver effective results, and due to varying configurations of different customer environments, customers should validate the legitimacy and accuracy of any events identified by these detections.</p>
<h5 id="users-with-more-than-1-unique-extern_uid-over-time">Users with more than 1 unique extern_uid over time</h5>
<p>This detection is designed to identify an authenticated SAML user with more than one extern_uid values linked to authentication events, a potential indication of malicious authentications with an attacker set extern_uid field.</p>
<div class="highlight"><pre class="highlight plaintext"><code>title: Multiple extern_ids
description: Detects when their are multiple extern_id's associated with a user.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: "*/10 * * * *"
pseudocode: |
select log source application.log
where 7d < event_time < now()
where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml"
regex(message, "saving user (?<user_email>\S+) .*extern_uid \S+ (?<extern_id>[\S]+)")
count extern_id by user_email as total_extern_ids
where total_extern_ids > 1
verify: Review Gitlab application logs for the source IP of the SAML authentications. If there is a singular IP for all extern_ids this could point to a false positive. Cross reference the SAML authentication source IP/s with the known user's IP from sso authentication logs.
tuning: N/A
</code></pre></div>
<h5 id="gitlab-saml-authentication-from-a-different-ip-address-than-other-idp-events-for-the-same-user-over-time">GitLab SAML authentication from a different IP address than other iDP events for the same user over time</h5>
<p>This detection is designed to correlate authentication events, grouped by user, against both GitLab SAML authentication events as well as other iDP authentication events in an effort to identify any change in user IP address, which could be an indication of attacker authentication sessions.</p>
<div class="highlight"><pre class="highlight plaintext"><code>title: Gitlab SAML IP differs from SSO IP
description: Detects when the source IP for the SAML authentication to Gitlab from application.log differs from the users known IP from SSO MFA logs.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: "*/10 * * * *"
pseudocode: |
select log source application.log
where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml"
regex(message, "saving user (?<user_email>\S+) ")
#Create sub-query to bring in table from SSO authentication data
select meta_remote_ip, user_email
where user_email in
(
select log source authentication
where 1d < event_time < now()
where event_type="user.authentication.auth_via_mfa"
group by user_email, sso_source_ip
)
where sso_source_ip!=meta_remote_ip
verify: False positives can arise when the user is traveling. Review SSO authentication logs to see if the geo-location is similar to the SAML authentication to Gitlab. If any discrepancies are found, reach out to the user for verification. If the user is not traveling, temporarily lock the user's Gitlab account and review their activity through Gitlab's application logs.
tuning: If the query is producing high false positives, consider using geolocation functions on IPs to compare the cities and countries that are generating the authentications.
</code></pre></div>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1733">17.3.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165585">Improve OpenSSL 3 upgrading warning notes</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166063">Upgrade bundler for the GitLab Backup CLI gem</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166059">Update ruby-saml and omniauth-saml</a></li>
</ul>
<h3 id="1727">17.2.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165587">Improve OpenSSL 3 upgrading warning notes</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166043">Update ruby-saml and omniauth-saml</a></li>
</ul>
<h3 id="1718">17.1.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165589">Improve OpenSSL 3 upgrading warning notes</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166058">Update ruby-saml and omniauth-saml</a></li>
</ul>
<h3 id="1708">17.0.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166058">Update ruby-saml and omniauth-saml</a></li>
</ul>
<h3 id="161110">16.11.10</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166058">Update ruby-saml and omniauth-saml</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/2024-09-11T00:00:00+00:002024-09-11T00:00:00+00:00Ottilia Westerlund<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>
<p>GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#execute-environment-stop-actions-as-the-owner-of-the-stop-action-job">Execute environment stop actions as the owner of the stop action job</a></td>
<td>Critical</td>
</tr>
<tr>
<td><a href="#prevent-code-injection-in-product-analytics-funnels-yaml">Prevent code injection in Product Analytics funnels YAML</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#ssrf-via-dependency-proxy">SSRF via Dependency Proxy</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#denial-of-service-via-sending-a-specific-post-request">Denial of Service via sending a a specific POST request</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#ci_job_token-can-be-used-to-obtain-gitlab-session-token">CI_JOB_TOKEN can be used to obtain GitLab session token</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#variables-from-settings-are-not-overwritten-by-pep-if-a-template-is-included">Variables from settings are not overwritten by PEP if a template is included</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#guests-can-disclose-the-full-source-code-of-projects-using-custom-group-level-templates">Guests can disclose the full source code of projects using custom group-level templates</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#identitiescontroller-allows-linking-of-arbitrary-unclaimed-provider-identities">IdentitiesController allows linking of arbitrary unclaimed provider identities</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#open-redirect-in-repotreeid-endpoint-can-lead-to-account-takeover-through-broken-oauth-flow">Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#open-redirect-in-release-permanent-links-can-lead-to-account-takeover-through-broken-oauth-flow">Open redirect in release permanent links can lead to account takeover through broken OAuth flow</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#guest-user-with-admin-group-member-permission-can-edit-custom-role-to-gain-other-permissions">Guest user with Admin group member permission can edit custom role to gain other permissions</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#exposure-of-protected-and-masked-cicd-variables-by-abusing-on-demand-dast">Exposure of protected and masked CI/CD variables by abusing on-demand DAST</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#credentials-disclosed-when-repository-mirroring-fails">Credentials disclosed when repository mirroring fails</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#commit-information-visible-through-release-atom-endpoint-for-guest-users">Commit information visible through release atom endpoint for guest users</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#dependency-proxy-credentials-are-logged-in-plaintext-in-graphql-logs">Dependency Proxy Credentials are Logged in Plaintext in graphql Logs</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#user-application-can-spoof-the-redirect-url">User Application can spoof the redirect url</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#group-developers-can-view-group-runners-information">Group Developers can view group runners information</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="execute-environment-stop-actions-as-the-owner-of-the-stop-action-job">Execute environment stop actions as the owner of the stop action job</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.
This is a critical severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code></a>, 9.9).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6678">CVE-2024-6678</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="prevent-code-injection-in-product-analytics-funnels-yaml">Prevent code injection in Product Analytics funnels YAML</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 8.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8640">CVE-2024-8640</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ssrf-via-dependency-proxy">SSRF via Dependency Proxy</h3>
<p>A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N</code></a>, 7.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8635">CVE-2024-8635</a>.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/joernchen">joernchen</a>.</p>
<h3 id="denial-of-service-via-sending-a-specific-post-request">Denial of Service via sending a specific POST request</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.
This is a high severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>, 7.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8124">CVE-2024-8124</a>.</p>
<p>Thanks <a href="https://hackerone.com/sim4n6">sim4n6</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ci_job_token-can-be-used-to-obtain-gitlab-session-token">CI_JOB_TOKEN can be used to obtain GitLab session token</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L</code></a>, 6.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8641">CVE-2024-8641</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="variables-from-settings-are-not-overwritten-by-pep-if-a-template-is-included">Variables from settings are not overwritten by PEP if a template is included</h3>
<p>An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8311">CVE-2024-8311</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/Andyschoenen">Andy Schoenen</a>.</p>
<h3 id="guests-can-disclose-the-full-source-code-of-projects-using-custom-group-level-templates">Guests can disclose the full source code of projects using custom group-level templates</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4660">CVE-2024-4660</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="identitiescontroller-allows-linking-of-arbitrary-unclaimed-provider-identities">IdentitiesController allows linking of arbitrary unclaimed provider identities</h3>
<p>An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4).
We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/joernchen">Joern Schneeweisz</a>.</p>
<h3 id="open-redirect-in-repotreeid-endpoint-can-lead-to-account-takeover-through-broken-oauth-flow">Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4283">CVE-2024-4283</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="open-redirect-in-release-permanent-links-can-lead-to-account-takeover-through-broken-oauth-flow">Open redirect in release permanent links can lead to account takeover through broken OAuth flow</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4612">CVE-2024-4612</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="guest-user-with-admin-group-member-permission-can-edit-custom-role-to-gain-other-permissions">Guest user with Admin group member permission can edit custom role to gain other permissions</h3>
<p>A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N</code></a>, 5.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8631">CVE-2024-8631</a>.</p>
<p>Thanks <a href="https://hackerone.com/chotebabume">chotebabume</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="exposure-of-protected-and-masked-cicd-variables-by-abusing-on-demand-dast">Exposure of protected and masked CI/CD variables by abusing on-demand DAST</h3>
<p>An issue was discovered in GitLab EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2743">CVE-2024-2743</a>.</p>
<p>Thanks <a href="https://hackerone.com/0xn3va">0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="credentials-disclosed-when-repository-mirroring-fails">Credentials disclosed when repository mirroring fails</h3>
<p>An issue has been discovered discovered in GitLab CE/EE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N</code></a>, 4.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5435">CVE-2024-5435</a>.</p>
<p>Thanks <a href="https://hackerone.com/gudanggaramfilter">gudanggaramfilter</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="commit-information-visible-through-release-atom-endpoint-for-guest-users">Commit information visible through release atom endpoint for guest users</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6389">CVE-2024-6389</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="dependency-proxy-credentials-are-logged-in-plaintext-in-graphql-logs">Dependency Proxy Credentials are Logged in Plaintext in graphql Logs</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.0).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4472">CVE-2024-4472</a>.</p>
<p>Thanks <a href="https://hackerone.com/ac7n0w">ac7n0w</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="user-application-can-spoof-the-redirect-url">User Application can spoof the redirect url</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code></a>, 3.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6446">CVE-2024-6446</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="group-developers-can-view-group-runners-information">Group Developers can view group runners information</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.
This is a low severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 3.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6685">CVE-2024-6685</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1732">17.3.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/2012">UBI: Backport openssl gem pin to 17-3-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163188">Backport "Disable allow_failure for release-environments pipeline"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163437">Fix issue when resizing images in RTE</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163809">Backport fix for listing projects via API</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164228">Backport lock retries timeout for sliding list strategy to <code>17-3</code></a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164748">backport archived filter regression bugfix</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164791">Ensure to update updated_at when updating access data</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164894">Backport OpenSSL v3 callout to 17.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165464">Quarantine pypi package registry spec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164830">Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165343">[17.3 Backport] Bump OpenSSL to 3.2.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165279">Backport 17.3 - Remove elasticsearch call on init</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7890">Downgrade OpenSSL version to 1.1.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7895">[17.3 Backport] Deprecate CentOS 7</a></li>
</ul>
<h3 id="1725">17.2.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163189">Backport "Disable allow_failure for release-environments pipeline"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163421">Always build assets image when tagging</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162466">Update google-cloud-core and google-cloud-env gems</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162937">Backport to 17.2: Fixes Geo Replication Details incorrectly empty</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164893">Backport OpenSSL v3 callout to 17.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164561">Backport to 17.2: Fix JobArtifactState query timeout</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7874">CI: Add test basic package functionality before release (17.2 Backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7876">Use latest builder images for check-packages pipeline (17.2 Backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7896">[17.2 Backport] Deprecate CentOS 7</a></li>
</ul>
<h3 id="1717">17.1.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163191">Backport "Disable allow_failure for release-environments pipeline"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162939">Backport to 17.1: Fixes Geo Replication Details view</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164892">Backport OpenSSL v3 callout to 17.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165270">Backport to 17.1: Fix JobArtifactState query timeout</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7875">CI: Add test basic package functionality before release (17.1 Backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7877">Use latest builder images for check-packages pipeline (17.1 Backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7897">[17.1 Backport] Deprecate CentOS 7</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.3.1, 17.2.4, 17.1.6https://about.gitlab.com/releases/2024/08/21/patch-release-gitlab-17-3-1-released/2024-08-21T00:00:00+00:002024-08-21T00:00:00+00:00Ameya Darshan<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.3.1, 17.2.4, 17.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#the-gitlab-web-interface-does-not-guarantee-information-integrity-when-downloading-source-code-from-releases">The GitLab Web Interface Does Not Guarantee Information Integrity When Downloading Source Code from Releases.</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-by-importing-maliciously-crafted-github-repository">Denial of Service by importing maliciously crafted GitHub repository</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#prompt-injection-in-resolve-vulnerabilty-results-in-arbitrary-command-execution-in-victims-pipeline">Prompt injection in "Resolve Vulnerabilty" results in arbitrary command execution in victim's pipeline</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#an-unauthorized-user-can-perform-certain-actions-through-graphql-after-a-group-owner-enables-ip-restrictions">An unauthorized user can perform certain actions through GraphQL after a group owner enables IP restrictions</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="the-gitlab-web-interface-does-not-guarantee-information-integrity-when-downloading-source-code-from-releases">The GitLab Web Interface Does Not Guarantee Information Integrity When Downloading Source Code from Releases.</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code></a>, 5.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6502">CVE-2024-6502</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-by-importing-maliciously-crafted-github-repository">Denial of Service by importing maliciously crafted GitHub repository</h3>
<p>A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8041">CVE-2024-8041</a>.</p>
<p>Thanks <a href="https://hackerone.com/a92847865">a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="prompt-injection-in-resolve-vulnerabilty-results-in-arbitrary-command-execution-in-victims-pipeline">Prompt injection in "Resolve Vulnerabilty" results in arbitrary command execution in victim's pipeline</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7110">CVE-2024-7110</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="hhttps://gitlab.com/dappelt">Dennis Appelt</a>.</p>
<h3 id="an-unauthorized-user-can-perform-certain-actions-through-graphql-after-a-group-owner-enables-ip-restrictions">An unauthorized user can perform certain actions through GraphQL after a group owner enables IP restrictions</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorized users to perform some actions at the group level.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3127">CVE-2024-3127</a>.</p>
<p>Thanks <a href="https://hackerone.com/0x777">0x777</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="mattermost-security-updates-july-2-2024">Mattermost Security Updates July 2, 2024</h3>
<p>Mattermost has been updated to versions 9.9.0, which contains several patches and security fixes.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1731">17.3.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162860">Fix timeout when checking group dependencies (17.3 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162869">Resolve "Background migrations removed issues" (backport to 17.3)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162798">Backport to 17.3: Fixes Geo Replication Details incorrectly empty</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162829">17.3 Backport vulnerability migration bugfix</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7852">Add debian 10 (Buster) to deprecated OS list</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7868">Raise default PostgreSQL shared buffers minimum to 256 MB</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162931">Include language server version in code suggestions</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162968">Turn NotFound from Gitaly into 404 for InfoRefs</a></li>
</ul>
<h3 id="1724">17.2.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161900">Backport 17.2: Build assets image when running release environments</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161129">Backport DORA DF score recalculation</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162292">Backport 17.2 - Do not run release-environments on tagging</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162311">Remove stong_memoization for cloud connector services</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161773">Check if columns exist before running credit card hashing background migration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162491">Merge branch 'jennykim/remove-release-environment-canonical-pipeline' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162523">Fix empty dependency list page</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162544">Backport 17-2: handle empty repository.ff_merge</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162868">17.2 backport for: Resolve "Background migrations removed in 17.1 cause upgrade issues"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162935">Include language server version in code suggestions</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162969">Turn NotFound from Gitaly into 404 for InfoRefs)</a></li>
</ul>
<h3 id="1716">17.1.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161489">Backport 17.1: Release Environments - pipeline level resource group</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161901">Backport 17.1: Build assets image when running release environments</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162293">Backport 17.1 - Do not run release-environments on tagging</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162001">Fix backport gitlab-qa shm fix to 17.1 stable branch version</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162492">Backport canonical RE downstream pipeline removal</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162771">Update minimum Go version requirement for self-compiled (17.1)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162542">Backport 17-1: handle empty repository.ff_merge</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162865">Resolve "Background migrations removed issues" (backport to 17.1)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163169">Fix: backport !157455 to 17-1-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162936">Include language server version in code suggestions</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<p>Note: GitLab releases have skipped 17.2.3 and 17.1.5 . There are no patches with these version numbers.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-released/2024-08-07T00:00:00+00:002024-08-07T00:00:00+00:00Costel Maxim<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#privilege-escalation-via-lfs-tokens-granting-unrestricted-repository-access">Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#cross-project-access-of-security-policy-bot">Cross project access of Security policy bot</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#advanced-search-redos-in-highlight-for-code-results">Advanced search ReDOS in highlight for code results</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-via-banzai-pipeline">Denial of Service via banzai pipeline</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-using-adoc-files">Denial of service using adoc files</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-in-refmatcher-when-matching-branch-names-using-wildcards">ReDoS in RefMatcher when matching branch names using wildcards</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#path-encoding-can-cause-the-web-interface-to-not-render-diffs-correctly">Path encoding can cause the Web interface to not render diffs correctly.</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#xss-while-viewing-raw-xhtml-files-through-api">XSS while viewing raw XHTML files through API</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#ambiguous-tag-name-exploitation">Ambiguous tag name exploitation</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#logs-disclosings-potentially-sensitive-data-in-query-params">Logs disclosings potentially sensitive data in query params</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#password-bypass-on-approvals-using-policy-projects">Password bypass on approvals using policy projects</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-when-parsing-git-push">ReDoS when parsing git push</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#webhook-deletion-audit-log-can-preserve-auth-credentials">Webhook deletion audit log can preserve auth credentials</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="privilege-escalation-via-lfs-tokens-granting-unrestricted-repository-access">Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access</h3>
<p>A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</code></a>, 6.8).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3035">CVE-2024-3035</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="cross-project-access-of-security-policy-bot">Cross project access of Security policy bot</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N </code></a>, 4.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6356">CVE-2024-6356</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="advanced-search-redos-in-highlight-for-code-results">Advanced search ReDOS in highlight for code results</h3>
<p>A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3).
We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/terrichu">Terri Chu</a>.</p>
<h3 id="denial-of-service-via-banzai-pipeline">Denial of Service via banzai pipeline</h3>
<p>Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5423">CVE-2024-5423</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-using-adoc-files">Denial of service using adoc files</h3>
<p>A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4210">CVE-2024-4210</a>.</p>
<p>Thanks <a href="https://hackerone.com/gudanggaramfilter">gudanggaramfilter</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-in-refmatcher-when-matching-branch-names-using-wildcards">ReDoS in RefMatcher when matching branch names using wildcards</h3>
<p>ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2800">CVE-2024-2800</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="path-encoding-can-cause-the-web-interface-to-not-render-diffs-correctly">Path encoding can cause the Web interface to not render diffs correctly.</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code></a>, 5.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6329">CVE-2024-6329</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="xss-while-viewing-raw-xhtml-files-through-api">XSS while viewing raw XHTML files through API</h3>
<p>A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N </code></a>, 4.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4207">CVE-2024-4207</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ambiguous-tag-name-exploitation">Ambiguous tag name exploitation</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</code></a>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3958">CVE-2024-3958</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="logs-disclosings-potentially-sensitive-data-in-query-params">Logs disclosings potentially sensitive data in query params</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code></a>, 4.9).
We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/dcouture">Dominic Couture</a>.</p>
<h3 id="password-bypass-on-approvals-using-policy-projects">Password bypass on approvals using policy projects</h3>
<p>An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N</code></a>, 4.2).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4784">CVE-2024-4784</a>.</p>
<p>Thanks <a href="https://hackerone.com/vexin">vexin</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-when-parsing-git-push">ReDoS when parsing git push</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3114">CVE-2024-3114</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="webhook-deletion-audit-log-can-preserve-auth-credentials">Webhook deletion audit log can preserve auth credentials</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.
This is a medium severity issue (<a href="https://gitlab-com.gitlab.io/gl-security/product-security/appsec/cvss-calculator/explain#explain=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"><code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N</code></a>, 4.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7586">CVE-2024-7586</a>.</p>
<p>This vulnerability was discovered internally by GitLab Team <a href="https://gitlab.com/anton">Anton Smith</a>.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1722">17.2.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1932">Backups: Fix parsing of existing backups in Azure storage (Backport 17.2)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7147">Do not consider pool repos dangling on restore</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160253">Never return nil when search for CC service</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160554">Fix issue in RTE related to adding text before a mention</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160666">Backport 'Check if params data cannot be JSONified' into 17.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160434">Document Rake task to show/edit token expirations</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160678">Backport 17.2 - Introduce lock-free rescheduling for duplicate job</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160767">Ignore unknown sequences in sequence fix migration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160744">Fix squished badges rendering in 17.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161081">Optimize CustomAbility specs to reduce build times</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161200">Backport Do not index associated issues that are epic work item type</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160911">bug: Fix template error due to divided by zero</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161241">Put groups_direct field in CI JWT tokens behind feature flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161430">Backport 'Fix cluster check metrics' into 17.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161539">Backport Beyond Identity bug fixes to 17.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161543">Enable <code>project_daily_statistic_counter_attribute_fetch</code> FF by default</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161488">Backport 17.2: Release Environments - pipeline level resource group</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161386">Add require_personal_access_token_expiry application setting</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/1030">Backport 17.2: Mark Cookie SameSite as default over HTTP</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7814">Pin QA CI tests to stable gitlab-org/gitlab branches</a></li>
</ul>
<h3 id="1714">17.1.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1933">Backups: Fix parsing of existing backups in Azure storage (Backport 17.1)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160679">Backport 17.1 - Introduce lock-free rescheduling for duplicate job</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160941">Table driven spec needs shorter spec titles backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161079">Optimize CustomAbility specs to reduce build times</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161242">Put groups_direct field in CI JWT tokens behind feature flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161408">Increase SQL query threashold on work_items test</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160667">Backport 'Check if params data cannot be JSONified' into 17.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161541">Backport Beyond Identity bug fixes to 17.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161668">Backport gitlab-qa shm fix to 17.1 stable branch</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161388">Add require_personal_access_token_expiry application setting</a></li>
</ul>
<h3 id="1706">17.0.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1934">Backups: Fix parsing of existing backups in Azure storage (Backport 17.0)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160815">Backport 17.0 - Introduce lock-free rescheduling for duplicate job</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160940">Table driven spec needs shorter spec titles backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161240">Put groups_direct field in CI JWT tokens behind feature flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161389">Add require_personal_access_token_expiry application setting</a></li>
</ul>
<h3 id="16118">16.11.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161391">Add require_personal_access_token_expiry application setting</a></li>
</ul>
<h3 id="add-require_personal_access_token_expiry-application-setting">Add require_personal_access_token_expiry application setting</h3>
<p>This default enabled, optional setting added for admins of GitLab self-managed instances on versions 16.11 and above allow them to enable mandatory expiraton on all new personal, project and group access tokens. Expirations set for existing tokens are not affected by this setting. For usage information see <a href="https://docs.gitlab.com/ee/administration/settings/account_and_limit_settings.html#require-expiration-dates-for-new-access-tokens">Require expiration dates for new access tokens</a></p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.2.1, 17.1.3, 17.0.5https://about.gitlab.com/releases/2024/07/24/patch-release-gitlab-17-2-1-released/2024-07-24T00:00:00+00:002024-07-24T00:00:00+00:00Greg Alfaro<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.2.1, 17.1.3, 17.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#xss-via-the-maven-dependency-proxy">XSS via the Maven Dependency Proxy</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#project-level-analytics-settings-leaked-in-dom">Project level analytics settings leaked in DOM</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#reports-can-access-and-download-job-artifacts-despite-use-of-settings-to-prevent-it">Reports can access and download job artifacts despite use of settings to prevent it</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#direct-transfer---authorised-projectgroup-exports-are-accessible-to-other-users">Direct Transfer - Authorised project/group exports are accessible to other users</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#bypassing-tag-check-and-branch-check-through-imports">Bypassing tag check and branch check through imports</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#project-importexport---make-projectgroup-export-files-hidden-to-everyone-except-user-who-initiated-it">Project Import/Export - Make project/group export files hidden to everyone except user who initiated it</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="xss-via-the-maven-dependency-proxy">XSS via the Maven Dependency Proxy</h3>
<p>A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7)</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/joernchen">Joern Schneeweisz</a>.</p>
<h3 id="project-level-analytics-settings-leaked-in-dom">Project level analytics settings leaked in DOM</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N </code>, 4.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5067">CVE-2024-5067</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> and <a href="https://hackerone.com/zebraman">zebraman</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="reports-can-access-and-download-job-artifacts-despite-use-of-settings-to-prevent-it">Reports can access and download job artifacts despite use of settings to prevent it</h3>
<p>An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7057">CVE-2024-7057</a>.</p>
<p>Thanks <a href="https://hackerone.com/ricardobrito">ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="direct-transfer---authorised-projectgroup-exports-are-accessible-to-other-users">Direct Transfer - Authorised project/group exports are accessible to other users</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.</p>
<p>This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N</code>, 4.1 ).</p>
<p>This vulnerability was found internally by a GitLab team member <a href="hhttps://gitlab.com/jnutt">James Nutt</a>.</p>
<h3 id="bypassing-tag-check-and-branch-check-through-imports">Bypassing tag check and branch check through imports</h3>
<p>A resource misdirection vulnerability in GitLab CE/EE affecting all versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0231">CVE-2024-0231</a>.</p>
<p>Thanks <a href="https://hackerone.com/aaron_dewes">aaron_dewes</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="project-importexport---make-projectgroup-export-files-hidden-to-everyone-except-user-who-initiated-it">Project Import/Export - Make project/group export files hidden to everyone except user who initiated it</h3>
<p>An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6).</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/wortschi">Martin Wortschack</a></p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1721">17.2.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7103">Revert "Ensure page token is for the same tree"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159815">Fix order-dependent Elasticsearch spec failure</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159794">Backport to run Release Environments on RC tag into '17-2-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159993">Fix state leak in cluster_util_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160006">Ensure rspec helpers call curl with –fail</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160047">Run e2e:package-and-test-ee for MR targeting stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160129">Remove build-gdk-image, e2e:test-on-gdk, and retag-gdk-image jobs (17.2)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160007">17.2 backport for fix PEP when SEC is available</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160276">bugfix: Only run advanced SAST job when Ultimate license present</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160377">Backport pipeline fixes for 17.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/issues/469443">Private dotenv artifacts not accessible to downstream jobs</a></li>
</ul>
<h3 id="1713">17.1.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1921">Backport mock tag cleanup related fixes</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1904">Multiarch fixes backport (17.1)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158737">Backport release-environments pipeline in security repo to 17.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158841">Backport [17.1] Fix empty minimum_should_match in query</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159016">Fix wildcard search for package.json in npm upload</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159075">NPM registry: replace the saj parser (17.1 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159701">Fix Content-Disposition header for Azure in API download (17.1 Backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159817">Fix order-dependent Elasticsearch spec failure</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159795">Backport to run Release Environments on RC tag into '17-1-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159995">Fix state leak in cluster_util_spec.rb</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160094">Merge branch 'sh-curl-fail-ci' into 'master' - 17.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159003">Ignore object pool already exists creation errors 17.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158509">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159049">Backport add Rake task to show token expiration info</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160128">Remove build-gdk-image, e2e:test-on-gdk, and retag-gdk-image jobs (17.1)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160392">Backport pipeline fixes for 17.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/issues/469443">Private dotenv artifacts not accessible to downstream jobs</a></li>
</ul>
<h3 id="1705">17.0.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1920">Backport mock tag cleanup related fixes</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1903">Multiarch fixes backport (17.0)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159796">Backport to run Release Environments on RC tag into '17-0-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159286">Backport Resolve "Geo: JWT token expiration too short"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159019">Ignore object pool already exists creation errors 17.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158907">Fix 500 error using a instance runner registration token</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158511">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158266">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159417">Update the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159054">Backport add Rake task to show token expiration info</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160326">Fix order-dependent custom role definition spec failure</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160393">Backport pipeline fixes for 17.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/issues/469443">Private dotenv artifacts not accessible to downstream jobs</a></li>
</ul>
<h3 id="16117">16.11.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159287">Backport Resolve "Geo: JWT token expiration too short"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159019">Ignore object pool already exists creation errors 17.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157277">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158416">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159418">Update the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159056">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="16109">16.10.9</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158516">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158414">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159419">Update the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159057">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="16910">16.9.10</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158517">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153470">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159421">Update the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159058">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="1689">16.8.9</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158518">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153469">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159424">Update the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159066">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="1679">16.7.9</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158519">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153468">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159426">Update the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159069">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="1669">16.6.9</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158525">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153466">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159429">Update the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159089">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="1659">16.5.9</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158526">Backport token logging improvements</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153459">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158110">Add the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159093">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="1646">16.4.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153458">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158474">Add the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159125">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="1638">16.3.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153457">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158475">Add the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159383">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="16210">16.2.10</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153453">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158479">Add the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159401">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="1617">16.1.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153448">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158476">Add the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159414">Backport add Rake task to show token expiration info</a></li>
</ul>
<h3 id="1609">16.0.9</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153435">Drop migration that finalizes migration to add PAT expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158477">Add the token expiration banner</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159446">Backport add Rake task to show token expiration info</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Patch Release: 17.1.2, 17.0.4, 16.11.6https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/2024-07-10T00:00:00+00:002024-07-10T00:00:00+00:00Rohit Shambhuni<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.1.2, 17.0.4, 16.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com and GitLab Dedicated are already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#an-attacker-can-run-pipeline-jobs-as-an-arbitrary-user">An attacker can run pipeline jobs as an arbitrary user</a></td>
<td>Critical</td>
</tr>
<tr>
<td><a href="#developer-user-with-admin_compliance_framework-permission-can-change-group-url">Developer user with <code>admin_compliance_framework</code> permission can change group URL</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#admin-push-rules-custom-role-allows-creation-of-project-level-deploy-token">Admin push rules custom role allows creation of project level deploy token</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#package-registry-vulnerable-to-manifest-confusion">Package registry vulnerable to manifest confusion</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#user-with-admin_group_member-permission-can-ban-group-members">User with <code>admin_group_member</code> permission can ban group members</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#subdomain-takeover-in-gitlab-pages">Subdomain takeover in GitLab pages</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="an-attacker-can-run-pipeline-jobs-as-an-arbitrary-user">An attacker can run pipeline jobs as an arbitrary user</h3>
<p>An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
This is a critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6).
It is now resolved in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6385">CVE-2024-6385</a>.</p>
<p>Thanks to <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="developer-user-with-admin_compliance_framework-permission-can-change-group-url">Developer user with <code>admin_compliance_framework</code> permission can change group URL</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with <code>admin_compliance_framework</code> custom role may have been able to modify the URL for a group namespace.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.9).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5257">CVE-2024-5257</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="admin-push-rules-custom-role-allows-creation-of-project-level-deploy-token">Admin push rules custom role allows creation of project level deploy token</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with <code>admin_push_rules</code> permission may have been able to create project-level deploy tokens.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N</code>, 3.8).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5470">CVE-2024-5470</a>.</p>
<p>Thanks <a href="https://hackerone.com/indoappsec">indoappsec</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="package-registry-vulnerable-to-manifest-confusion">Package registry vulnerable to manifest confusion</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N</code>, 3.0).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6595">CVE-2024-6595</a>.</p>
<p>This vulnerability was found internally by a GitLab team member <a href="https://gitlab.com/ameyadarshan">Ameya Darshan</a>. Thanks to <a href="https://x.com/darcy">Darcy Clarke</a> for their work on <a href="https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem">manifest confusion</a>.</p>
<h3 id="user-with-admin_group_member-permission-can-ban-group-members">User with <code>admin_group_member</code> permission can ban group members</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with <code>admin_group_member</code> custom role permission could ban group members.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2880">CVE-2024-2880</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="subdomain-takeover-in-gitlab-pages">Subdomain takeover in GitLab Pages</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages by checking if the domain is enabled every time the custom domain is resolved.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5528">CVE-2024-5528</a>.</p>
<p>Thanks <a href="https://hackerone.com/fdeleite">fdeleite</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1712">17.1.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/7058">git: Update <code>symlinkPointsToGitDir</code> version check</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157347">Fix MailRoom not loading in Omnibus</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157428">Use static AWS credentials for elasticsearch indexer if set</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157655">ci: For 17-1 Use default Ruby version for MRs targeting stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157430">Remove transaction opening for non-basic search count</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157757">Merge branch 'echui-gitlab-master-patch-58822' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157312">Update FF version info for graphql_minimal_auth_methods</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157608">Merge branch 'correct_finalize_epics_backfilling' into '17-1-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158201">Fix merge unverified changes modal showing incorrectly</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158332">Backport 17.1: Field needs to be called Url</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158452">Backport Release Environments notification pipeline change to 17.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157381">Update dependency slack-messenger to v2.3.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7734">Force ffi gem to use Ruby platform gem</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7744">Fix Redis password handling with reserved characters</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7765">Pin QA CI tests to stable gitlab-org/gitlab branches</a></li>
</ul>
<h3 id="1704">17.0.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158455">Backport Release Environments notification pipeline change to 16.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158453">Backport Release Environments notification pipeline change to 17.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157383">Update dependency slack-messenger to v2.3.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7764">Pin QA CI tests to stable gitlab-org/gitlab branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7745">Fix Redis password handling with reserved characters</a></li>
</ul>
<h3 id="16116">16.11.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157242">Update versioning info for graphql FF</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157451">Define the Ruby patch version to use in CI jobs in 16.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158326">For 16.11: Explicitly set Omnibus and CNG Ruby version in CI</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158459">Backport Release Environments notification pipeline change to 16.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157385">Update dependency slack-messenger to v2.3.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7763">Pin QA CI tests to stable gitlab-org/gitlab branches</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update GitLab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/2024-06-26T00:00:00+00:002024-06-26T00:00:00+00:00Nikhil George<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.1.1, 17.0.3, 16.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#run-pipelines-as-any-user">Run pipelines as any user</a></td>
<td>Critical</td>
</tr>
<tr>
<td><a href="#stored-xss-injected-in-imported-projects-commit-notes">Stored XSS injected in imported project's commit notes</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#csrf-on-graphql-api-introspectionquery">CSRF on GraphQL API <code>IntrospectionQuery</code></a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#remove-search-results-from-public-projects-with-unauthorized-repos">Remove search results from public projects with unauthorized repos</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#cross-window-forgery-in-user-application-oauth-flow">Cross window forgery in user application OAuth flow</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#project-maintainers-can-bypass-groups-merge-request-approval-policy">Project maintainers can bypass group's merge request approval policy</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-via-custom-built-markdown-page">ReDoS via custom built markdown page</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#private-job-artifacts-can-be-accessed-by-any-user">Private job artifacts can be accessed by any user</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#security-fixes-for-banzai-pipeline">Security fixes for banzai pipeline</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-in-dependency-linker">ReDoS in dependency linker</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-using-a-crafted-openapi-file">Denial of service using a crafted OpenAPI file</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#merge-request-title-disclosure">Merge request title disclosure</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#access-issues-and-epics-without-having-an-sso-session">Access issues and epics without having an SSO session</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#non-project-member-can-promote-key-results-to-objectives">Non project member can promote key results to objectives</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="run-pipelines-as-any-user">Run pipelines as any user</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which could allow an attacker to trigger a pipeline as another user under certain circumstances. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now resolved in the latest release and is assigned CVE-2024-5655.</p>
<p>Thanks to <a href="https://hackerone.com/ahacker1">ahacker1</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<p>Breaking changes:</p>
<ol>
<li>This fix changes the MR re-targeting workflow so that a pipeline will not automatically run when a merge request is automatically re-targeted due to its previous target branch being merged. Users will need to manually start a pipeline to have CI execute for their changes.</li>
<li>GraphQL authentication using CI_JOB_TOKEN is disabled by default from 17.0.0, and back ported to 17.0.3, 16.11.5 in the current patch release. If access to the GraphQL API is required, please configure one of the several supported token types for authentication.</li>
</ol>
<p>At this time, we have not found evidence of abuse of this vulnerability on the platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.</p>
<h3 id="stored-xss-injected-in-imported-projects-commit-notes">Stored XSS injected in imported project's commit notes</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4901">CVE-2024-4901</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="csrf-on-graphql-api-introspectionquery">CSRF on GraphQL API <code>IntrospectionQuery</code></h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4994">CVE-2024-4994</a>.</p>
<p>Thanks <a href="https://hackerone.com/ahacker1">ahacker1</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h3 id="remove-search-results-from-public-projects-with-unauthorized-repos">Remove search results from public projects with unauthorized repos</h3>
<p>Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6323">CVE-2024-6323</a>.</p>
<p>Thanks to GitLab Team Member, <a href="https://gitlab.com/joernchen">@joernchen</a> for reporting this issue.</p>
<h3 id="cross-window-forgery-in-user-application-oauth-flow">Cross window forgery in user application OAuth flow</h3>
<p>A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2177">CVE-2024-2177</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="project-maintainers-can-bypass-groups-merge-request-approval-policy">Project maintainers can bypass group's merge request approval policy</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N</code>, 6.8).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5430">CVE-2024-5430</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-via-custom-built-markdown-page">ReDoS via custom built markdown page</h3>
<p>A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4025">CVE-2024-4025</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="private-job-artifacts-can-be-accessed-by-any-user">Private job artifacts can be accessed by any user</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3959">CVE-2024-3959</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="security-fixes-for-banzai-pipeline">Security fixes for banzai pipeline</h3>
<p>Multiple Denial of Service (DoS) issues has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4557">CVE-2024-4557</a>.</p>
<p>Thanks <a href="https://hackerone.com">joaxcar</a> and <a href="https://hackerone.com/setiawan_">setiawan_</a> for reporting these vulnerability through our HackerOne bug bounty program</p>
<h3 id="redos-in-dependency-linker">ReDoS in dependency linker</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1493">CVE-2024-1493</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-using-a-crafted-openapi-file">Denial of service using a crafted OpenAPI file</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1816">CVE-2024-1816</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="merge-request-title-disclosure">Merge request title disclosure</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2191">CVE-2024-2191</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="access-issues-and-epics-without-having-an-sso-session">Access issues and epics without having an SSO session</h3>
<p>An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3115">CVE-2024-3115</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="non-project-member-can-promote-key-results-to-objectives">Non project member can promote key results to objectives</h3>
<p>An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4011">CVE-2024-4011</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1711">17.1.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156799">Prevent cng e2e test from running in security fork</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157027">Only enumerate commits in pre-receive check if push came from Web</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156968">Revert "Allow <code>admin_runner</code> ability to change shared runners setting"</a></li>
</ul>
<h3 id="1703">17.0.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155704">Fix missing filename when downloading generic package in release page</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156392">Update an expired test certificate</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156424">Prevent starting multiple Capybara proxy servers</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156482">Backport 3 commits for Merge Train pipelines support in 17-0-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156635">Fix error when calling GQL ciConfig endpoint with include:component</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155926">Only allow documented token types for GraphQL authentication</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155242">Add a banner informing about token expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157026">Only enumerate commits in pre-receive check if push came from Web</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7705">Backport QA test fixes for stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7724">Merge branch 'sh-patch-inspec-gem' into 'master'</a></li>
</ul>
<h3 id="16115">16.11.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156425">Prevent starting multiple Capybara proxy servers</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156393">Update an expired test certificate</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156746">Enable invert_emails_disabled_to_emails_enabled by default</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155925">Only allow documented token types for GraphQL authentication</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155265">Add a banner informing about token expiration</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7704">Backport QA test fixes for stable branches</a></li>
</ul>
<h3 id="16108">16.10.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155266">Add a banner informing about token expiration</a></li>
</ul>
<h3 id="1699">16.9.9</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155267">Add a banner informing about token expiration</a></li>
</ul>
<h3 id="1688">16.8.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155268">Add a banner informing about token expiration</a></li>
</ul>
<h3 id="1678">16.7.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155269">Add a banner informing about token expiration</a></li>
</ul>
<h3 id="1668">16.6.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155270">Add a banner informing about token expiration</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.0.2, 16.11.4, 16.10.7https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/2024-06-12T00:00:00+00:002024-06-12T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.0.2, 16.11.4, 16.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#redos-in-gomod-dependency-linker">ReDoS in gomod dependency linker</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-in-ci-interpolation-fix-bypass">ReDoS in CI interpolation (fix bypass)</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-in-asana-integration-issue-mapping-when-webhook-is-called">ReDoS in Asana integration issue mapping when webhook is called</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#xss-and-content-injection-when-viewing-raw-xhtml-files-on-ios-devices">XSS and content injection when viewing raw XHTML files on IOS devices</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#missing-agentk-request-validation-could-cause-kas-to-panic">Missing agentk request validation could cause KAS to panic</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="redos-in-gomod-dependency-linker">ReDoS in gomod dependency linker</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1495">CVE-2024-1495</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-in-ci-interpolation-fix-bypass">ReDoS in CI interpolation (fix bypass)</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1736">CVE-2024-1736</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-in-asana-integration-issue-mapping-when-webhook-is-called">ReDoS in Asana integration issue mapping when webhook is called</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1963">CVE-2024-1963</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="xss-and-content-injection-when-viewing-raw-xhtml-files-on-ios-devices">XSS and content injection when viewing raw XHTML files on iOS devices</h3>
<p>A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.11.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4201">CVE-2024-4201</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="missing-agentk-request-validation-could-cause-kas-to-panic">Missing agentk request validation could cause KAS to panic</h3>
<p>DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5469">CVE-2024-5469</a>.</p>
<p>This vulnerability has been discovered internally by the Environments team.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1702">17.0.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6996">Makefile: update Git versions (v17.0 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154018">Update VERSION files</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154019">Docs: Backport Dedicated AI updates</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154505">Fix failing specs in 17-0-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154624">Include headers in LfsDownloadObject</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155385">[17.0] Deprecate support for Ubuntu 18.04</a></li>
</ul>
<h3 id="16114">16.11.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6997">Makefile: update Git versions (v16.11 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153752">Backport 'run-release-environment-for-tag-commits' into 16.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154041">Dedicated AI updates</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153833">Speed up as-if-foss Rubocop</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154370">Inclusion of headers in LfsDownloadObject for GitHub imports</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154504">Fix failing specs on 16-11-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154838">Stop orphaning pages deployments on Geo secondaries on 16.11</a></li>
</ul>
<h3 id="16107">16.10.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6998">Makefile: update Git versions (v16.10 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153753">Backport 'run-release-environment-for-tag-commits' into 16.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154503">Fix failing specs on 16-10-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154837">Stop orphaning pages deployments on Geo secondaries on 16.10</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 17.0.1, 16.11.3, 16.10.6https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/2024-05-22T00:00:00+00:002024-05-22T00:00:00+00:00Greg Alfaro<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#1-click-account-takeover-via-xss-leveraging-the-vs-code-editor-web-ide">1-click account takeover via XSS leveraging the VS code editor (Web IDE)</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#a-dos-vulnerability-in-the-description-field-of-the-runner">A DOS vulnerability in the 'description' field of the runner</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#csrf-via-k8s-cluster-integration">CSRF via K8s cluster-integration</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#using-set-pipeline-status-of-a-commit-api-incorrectly-create-a-new-pipeline-when-sha-and-pipeline_id-did-not-match">Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-on-wiki-render-apipage">Redos on wiki render API/Page</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#resource-exhaustion-and-denial-of-service-with-test_report-api-calls">Resource exhaustion and denial of service with test_report API calls</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#guest-user-can-view-dependency-lists-of-private-projects-through-job-artifacts">Guest user can view dependency lists of private projects through job artifacts</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="1-click-account-takeover-via-xss-leveraging-the-vs-code-editor-web-ide">1-click account takeover via XSS leveraging the VS code editor (Web IDE)</h3>
<p>A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N</code>, 8.0)
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4835">CVE-2024-4835</a>.</p>
<p>Thanks <a href="https://hackerone.com/matanber">matanber</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="a-dos-vulnerability-in-the-description-field-of-the-runner">A DOS vulnerability in the 'description' field of the runner</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions up to 16.10.6, versions 16.11 up to 16.11.3, and 17.0 up to 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2874">CVE-2024-2874</a>.</p>
<p>Thanks <a href="https://hackerone.com/ac7n0w">ac7n0w</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h3 id="csrf-via-k8s-cluster-integration">CSRF via K8s cluster-integration</h3>
<p>A CSRF vulnerability exists within GitLab CE/EE from versions 16.3 up to 16.10.6, from 16.11 up to 16.11.3, from 17.0 up to 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).
This is a medium severity issue (<code>AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7045">CVE-2023-7045</a>.</p>
<p>Thanks <a href="https://hackerone.com/imrerad">imrerad</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h3 id="using-set-pipeline-status-of-a-commit-api-incorrectly-create-a-new-pipeline-when-sha-and-pipeline_id-did-not-match">Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match</h3>
<p>An authorization vulnerability exists within GitLab from versions 16.10 up to 16.10.6, 16.11 up to 16.11.3, and 17.0 up to 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5258">CVE-2024-5258</a>.</p>
<p>Thanks to GitLab Team Member, Andrew Winata for reporting this issue.</p>
<h3 id="redos-on-wiki-render-apipage">Redos on wiki render API/Page</h3>
<p>A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6502">CVE-2023-6502</a>.</p>
<p>Thanks <code>Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="resource-exhaustion-and-denial-of-service-with-test_report-api-calls">Resource exhaustion and denial of service with test_report API calls</h3>
<p>A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 up to 16.10.6, 16.11 up to 16.11.3, and 17.0 up to 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1947">CVE-2024-1947</a>.</p>
<p>Thanks <a href="https://hackerone.com/luryus">luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="guest-user-can-view-dependency-lists-of-private-projects-through-job-artifacts">Guest user can view dependency lists of private projects through job artifacts</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5318">CVE-2024-5318</a>.</p>
<p>Thanks <a href="https://hackerone.com/ricardobrito">ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="stored-xss-via-pdfjs">Stored XSS via PDFjs</h3>
<p>Mitigations were made to take care of vulnerability in PDF.js <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-4367">CVE-2024-4367</a>.</p>
<p>Thanks <a href="https://hackerone.com/h4x0r_dz">h4x0r_dz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="mattermost-security-updates-april-25th-2024">Mattermost Security Updates April 25th, 2024</h3>
<p>Mattermost has been updated to versions 9.7.2, which contains several patches and security fixes.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="1701">17.0.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6922">Makefile: update Git versions (v17.0 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153144">Merge branch 'rymai-master-patch-5345' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153330">Don't fail so loudly if default work item type is invalid</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152962">[17.0 backport] Project transfer fix for ES indexing</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153304">Ensure BLPOP/BRPOP returns nil instead of raising ReadTimeoutError</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153574">[17-0] Fix Sidekiq migration timeout</a></li>
</ul>
<h3 id="16113">16.11.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6919">Makefile: update Git versions (v16.11 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152328">Revert removal of bitbucket_server_convert_mentions_to_users FF</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152915">Cherry pick print-out-release-environment-variables to 16.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152891">[16-11] Fix Sidekiq migration timeout</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153146">Merge branch 'rymai-master-patch-5345' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153302">Ensure BLPOP/BRPOP returns nil instead of raising ReadTimeoutError</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7602">Draft: Update changelog for 16.11.0</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7586">BACKPORT-16-11-stable: Use bundler to install Omnibus gems</a></li>
</ul>
<h3 id="16106">16.10.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6920">Makefile: update Git versions (v16.10 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152248">Revert "Remove bitbucket_server_convert_mentions_to_users feature flag"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152916">Cherry pick print-out-release-environment-variables to 16.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153147">Merge branch 'rymai-master-patch-5345' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153301">Ensure BLPOP/BRPOP returns nil instead of raising ReadTimeoutError</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7585">BACKPORT-16-10-stable: Use bundler to install Omnibus gems</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 16.11.2, 16.10.5, 16.9.7https://about.gitlab.com/releases/2024/05/08/patch-release-gitlab-16-11-2-released/2024-05-08T00:00:00+00:002024-05-08T00:00:00+00:00Rohit Shambhuni<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.11.2, 16.10.5, 16.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#redos-in-branch-search-when-using-wildcards">ReDoS in branch search when using wildcards</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#redos-in-markdown-render-pipeline">ReDoS in markdown render pipeline</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-on-discord-integrations">Redos on Discord integrations</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-on-google-chat-integration">Redos on Google Chat Integration</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-attack--via-pin-menu">Denial of Service Attack via Pin Menu</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#dos-by-filtering-tags-and-branches-via-the-api">DoS by filtering tags and branches via the API</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#mr-approval-via-csrf-in-saml-sso">MR approval via CSRF in SAML SSO</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#banned-user-from-groups-can-read-issues-updates-via-the-api">Banned user from groups can read issues updates via the api</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#require-confirmation-before-linking-jwt-identity">Require confirmation before linking JWT identity</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#view-confidential-issues-title-and-description-of-any-public-project-via-export">View confidential issues title and description of any public project via export</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#ssrf-via-github-importer">SSRF via Github importer</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="redos-in-branch-search-when-using-wildcards">ReDoS in branch search when using wildcards</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms for branch names.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2878">CVE-2024-2878</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-in-markdown-render-pipeline">ReDoS in markdown render pipeline</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2651">CVE-2024-2651</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-on-discord-integrations">Redos on Discord integrations</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular expression DoS attack on the server.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6682">CVE-2023-6682</a>.</p>
<p>Thanks to <code>Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-on-google-chat-integration">Redos on Google Chat Integration</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6688">CVE-2023-6688</a>.</p>
<p>Thanks to <code>Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="denial-of-service-attack-via-pin-menu">Denial of Service Attack via Pin Menu</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2454">CVE-2024-2454</a>.</p>
<p>Thanks <a href="https://hackerone.com/ac7n0w">ac7n0w</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="dos-by-filtering-tags-and-branches-via-the-api">DoS by filtering tags and branches via the API</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4539">CVE-2024-4539</a>.</p>
<p>This vulnerability was reported internally by a GitLab team member <a href="https://gitlab.com/vyaklushin">Vasilii Iakliushin</a>.</p>
<h3 id="mr-approval-via-csrf-in-saml-sso">MR approval via CSRF in SAML SSO</h3>
<p>An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4597">CVE-2024-4597</a>.</p>
<p>This vulnerability was reported internally by a GitLab team member <a href="https://gitlab.com/joernchen">joernchen</a>.</p>
<h3 id="banned-user-from-groups-can-read-issues-updates-via-the-api">Banned user from groups can read issues updates via the api</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1539">CVE-2024-1539</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="require-confirmation-before-linking-jwt-identity">Require confirmation before linking JWT identity</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1211">CVE-2024-1211</a>.</p>
<p>Thanks <a href="https://hackerone.com/sim4n6">sim4n6</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="view-confidential-issues-title-and-description-of-any-public-project-via-export">View confidential issues title and description of any public project via export</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3976">CVE-2024-3976</a>.</p>
<p>Thanks <a href="https://hackerone.com/ahacker1">ahacker1</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ssrf-via-github-importer">SSRF via Github importer</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in the markdown image value when importing a GitHub repository.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6195">CVE-2023-6195</a>.</p>
<p>Thanks <a href="https://hackerone.com/imrerad">imrerad</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="16112">16.11.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6888">ci: Remove license scanning job (16.11)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150488">Backport 'Zoekt: Fix exact search mode' into 16.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150600">Return or display Gitlab version if GITLAB_KAS_VERSION is a SHA</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151040">Allow self-managed instances to require licensed seats for Duo Chat</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151533">Merge branch 'release-environment-notification' into '16-11-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151526">Changed the email validation for only encoded chars</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151547">Backport 'hide archived filter in search when project selected' 16.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151884">Cherry-pick MR 151750 into '16-11-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7571">Fix reconfigure failure if Redis node has Rails Sentinel config</a></li>
</ul>
<h3 id="16105">16.10.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6887">ci: Remove license scanning job (16.10)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6890">Upgrade gRPC to v1.62.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150602">Return or display Gitlab version if GITLAB_KAS_VERSION is a SHA</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151535">Merge branch 'release-environment-notification' into '16-10-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151529">Changed the email validation for only encoded chars</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151904">Cherry-pick MR 151750 into '16-10-stable-ee'</a></li>
</ul>
<h3 id="1697">16.9.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6886">ci: Remove license scanning job (16.9)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150605">Return or display Gitlab version if GITLAB_KAS_VERSION is a SHA</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151539">Merge branch 'release-environment-notification' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151530">Changed the email validation for only encoded chars</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151908">Cherry-pick MR 151750 into '16-9-stable-ee'</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6https://about.gitlab.com/releases/2024/04/24/patch-release-gitlab-16-11-1-released/2024-04-24T00:00:00+00:002024-04-24T00:00:00+00:00Costel Maxim<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.11.1, 16.10.4, 16.9.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h4 id="accidental-breaking-changes-in-kas-configuration">Accidental breaking changes in KAS configuration</h4>
<p>The following KAS patch releases contain breaking changes from the %17.0 revision, because they were tagged from the wrong source (master instead of stable branches):</p>
<ul>
<li>v16.11.1</li>
<li>v16.10.4</li>
<li>v16.9.6</li>
</ul>
<p>The next GitLab patch release will fix those changes. <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/458462">Issue 458462</a> provides more information.</p>
<p>As a workaround KAS can be downgraded to the last release. Working KAS versions are:</p>
<ul>
<li>v16.11.0</li>
<li>v16.10.1</li>
<li>v16.9.3</li>
</ul>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#gitlab-account-takeover-under-certain-conditions-when-using-bitbucket-as-an-oauth-provider">GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#path-traversal-leads-to-dos-and-restricted-file-read">Path Traversal leads to DoS and Restricted File Read</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#unauthenticated-redos-in-filefinder-when-using-wildcard-filters-in-project-file-search">Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#personal-access-token-scopes-not-honoured-by-graphql-subscriptions">Personal Access Token scopes not honoured by GraphQL subscriptions</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#domain-based-restrictions-bypass-using-a-crafted-email-address">Domain based restrictions bypass using a crafted email address</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="gitlab-account-takeover-under-certain-conditions-when-using-bitbucket-as-an-oauth-provider">GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4024">CVE-2024-4024</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team members <a href="https://gitlab.com/SamWord">Sam Word</a> and <a href="https://gitlab.com/rodrigo.tomonari">Rodrigo Tomonari</a>.</p>
<p>On 2024-04-24, GitLab changed the way Bitbucket authentication works with GitLab. To continue using Bitbucket Authentication, please sign in to GitLab with your Bitbucket account credentials, before 2024-05-16.</p>
<p>If you do not sign into GitLab using your Bitbucket account until after 2024-05-16, you will need to <a href="https://docs.gitlab.com/ee/user/profile/#sign-in-services">re-link your Bitbucket account</a> to your GitLab account manually. For some users, signing in to GitLab using their Bitbucket account may not work after this fix is applied. If this happens to you, your Bitbucket and GitLab accounts have different email addresses. To resolve this, you must log in to your GitLab account with your GitLab username and password and <a href="https://docs.gitlab.com/ee/user/profile/#sign-in-services">re-link your Bitbucket account</a>.</p>
<h3 id="path-traversal-leads-to-dos-and-restricted-file-read">Path Traversal leads to DoS and Restricted File Read</h3>
<p>An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H</code>, 8.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2434">CVE-2024-2434</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unauthenticated-redos-in-filefinder-when-using-wildcard-filters-in-project-file-search">Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2829">CVE-2024-2829</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="personal-access-token-scopes-not-honoured-by-graphql-subscriptions">Personal Access Token scopes not honoured by GraphQL subscriptions</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4006">CVE-2024-4006</a>.</p>
<p>This vulnerability was internally discovered and reported by a GitLab team member, <a href="https://gitlab.com/DylanGriffith">Dylan Griffith</a>.</p>
<h3 id="domain-based-restrictions-bypass-using-a-crafted-email-address">Domain based restrictions bypass using a crafted email address</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1347">CVE-2024-1347</a>.</p>
<p>Thanks <a href="https://hackerone.com/garethheyes">garethheyes</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="16111">16.11.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150027">Backport fixing release environment pipeline triggering rule to 16.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7556">Fix for missing branch_build_package_download_url</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7559">Fix missing arguments when PostgreSQL upgrade times out</a></li>
</ul>
<h3 id="16104">16.10.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6825">go.mod: Update <code>golang.org/x/net</code> dependency</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149253">Update vulnerability_reads scanner in the ingestion pipeline</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149810">Fix migration error when updating from GitLab 16.x to 16.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150029">Backport fixing release environment pipeline triggering rule to 16.10</a></li>
</ul>
<h3 id="1696">16.9.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150030">Backport fixing release environment pipeline triggering rule to 16.9</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6https://about.gitlab.com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/2024-04-10T00:00:00+00:002024-04-10T00:00:00+00:00Greg Alfaro<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.10.2, 16.9.4, 16.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases:
scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays.
For more information, you can visit our <a href="https://handbook.gitlab.com/handbook/engineering/releases/">releases handbook</a> and <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of GitLab release blog posts <a href="/releases/categories/releases/">here</a>.</p>
<p>For security fixes, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest patch release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="security-fixes">Security fixes</h2>
<h3 id="table-of-security-fixes">Table of security fixes</h3>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-injected-in-diff-viewer">Stored XSS injected in diff viewer</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#stored-xss-via-autocomplete-results">Stored XSS via autocomplete results</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#redos-on-integrations-chat-messages">Redos on Integrations Chat Messages</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-during-parse-junit-test-report">Redos During Parse Junit Test Report</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="stored-xss-injected-in-diff-viewer">Stored XSS injected in diff viewer</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3092">CVE-2024-3092</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="stored-xss-via-autocomplete-results">Stored XSS via autocomplete results</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2279">CVE-2024-2279</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-on-integrations-chat-messages">Redos on Integrations Chat Messages</h3>
<p>A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6489">CVE-2023-6489</a>.</p>
<p>Thanks <code>Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-during-parse-junit-test-report">Redos During Parse Junit Test Report</h3>
<p>An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit test report file.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6678">CVE-2023-6678</a>.</p>
<p>Thanks <code>Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bug-fixes">Bug fixes</h2>
<h3 id="16102">16.10.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147975">Quarantine flaky atomic processing ResetSkippedJobsService specs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148103">Fix include_optional_metrics_in_service_ping during migration to 16.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148227">Use alpine:latest instead of alpine:edge in CI images [16.10]</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147937">[16.10] Backport Delete callback should use namespace_id</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148417">[16.10] Backport handle null owner when indexing projects</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147942">Backport Zoekt: Retry indexing if too many requests to 16.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148687">Backport https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148596</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148663">Fix URL validator for mirror services when using localhost</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148571">Backport !148105 into 16.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7503">Cherry-pick 'fix-omnibus-gitconfig-deprecation' into '16-10-stable'</a></li>
</ul>
<h3 id="1694">16.9.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147985">Quarantine flaky atomic processing ResetSkippedJobsService specs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148229">Use alpine:latest instead of alpine:edge in CI images [16.9]</a></li>
</ul>
<h3 id="1686">16.8.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147986">Quarantine flaky atomic processing ResetSkippedJobsService specs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148231">Use alpine:latest instead of alpine:edge in CI images [16.8]</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-patch-notifications">Receive Patch Notifications</h2>
<p>To receive patch blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">patch release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.10.1, 16.9.3, 16.8.5https://about.gitlab.com/releases/2024/03/27/security-release-gitlab-16-10-1-released/2024-03-27T00:00:00+00:002024-03-27T00:00:00+00:00Kevin Morrison<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.10.1, 16.9.3, 16.8.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-injected-in-wiki-page-via-banzai-pipeline">Stored-XSS injected in Wiki page via Banzai pipeline</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#dos-using-crafted-emojis">DOS using crafted emojis</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="stored-xss-injected-in-wiki-page-via-banzai-pipeline">Stored-XSS injected in Wiki page via Banzai pipeline</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6371">CVE-2023-6371</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="dos-using-crafted-emojis">DOS using crafted emojis</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2818">CVE-2024-2818</a>.</p>
<p>Thanks Quintin Crist of Trend Micro for reporting this vulnerability to us.</p>
<h3 id="bump-postgresql-to-1314-1411">Bump PostgreSQL to 13.14, 14.11</h3>
<p>The PostgreSQL project released an update so we are updating to versions 13.14 and 14.11.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="16101">16.10.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1767">CI: bump CI_TOOLS_VERSIONS to 5.8.0 (Backport 16.10)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6778">Backport protobuf and pgx upgrades [16.10]</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147552">Fix new project group templates pagination (16-10-stable-ee)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147704">Update redis-client to v0.21.1</a></li>
</ul>
<h3 id="1693">16.9.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1768">CI: bump CI_TOOLS_VERSIONS to 5.8.0 (Backport 16.9)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6780">Backport protobuf and pgx upgrades [16.9]</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146777">Fix detect-tests CI job</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146820">Collect the artifacts from the same namespace</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147554">Fix new project group templates pagination (16-9-stable-ee)</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7471">Backport: RSpec changes for .com handling nightly packages</a></li>
</ul>
<h3 id="1685">16.8.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1769">CI: bump CI_TOOLS_VERSIONS to 5.8.0 (Backport 16.8)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146774">Fix detect-tests CI job</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7472">Backport: RSpec changes for .com handling nightly packages</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7479">Backport c2a94ae8 for creating stable tag for 16-8-stable</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<h2 id="were-combining-patch-and-security-releases">We’re combining patch and security releases</h2>
<p>This improvement in our release process matches the industry standard and will help GitLab users get information about security and
bug fixes sooner, <a href="https://about.gitlab.com/blog/were-combining-patch-and-security-releases/">read the blog post here</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.9.2, 16.8.4, 16.7.7https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/2024-03-06T00:00:00+00:002024-03-06T00:00:00+00:00Greg Myers
<p>Today we are releasing versions 16.9.2, 16.8.4, 16.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#bypassing-codeowners-approval-allowing-to-steal-protected-variables">Bypassing CODEOWNERS approval allowing to steal protected variables</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#guest-with-manage-group-access-tokens-can-rotate-and-see-group-access-token-with-owner-permissions">Guest with manage group access tokens can rotate and see group access token with owner permissions</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="bypassing-codeowners-approval-allowing-to-steal-protected-variables">Bypassing CODEOWNERS approval allowing to steal protected variables</h3>
<p>An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0199">CVE-2024-0199</a>.</p>
<p>Thanks <a href="https://hackerone.com/ali_shehab">ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="guest-with-manage-group-access-tokens-can-rotate-and-see-group-access-token-with-owner-permissions">Guest with manage group access tokens can rotate and see group access token with owner permissions</h3>
<p>A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of <code>manage_group_access_tokens</code> to rotate group access tokens with owner privileges.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1299">CVE-2024-1299</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="upgrade-kubectl-to-the-latest-stable-version">Upgrade Kubectl to the latest stable version</h3>
<p><code>kubectl</code> has been updated to version 1.29.2.</p>
<h3 id="mattermost-security-updates-february-14-2024">Mattermost Security Updates February 14, 2024</h3>
<p>Mattermost has been updated to version 9.5, which contains several patches and security fixes.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="1692">16.9.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146113">Merge branch 'hm-rescue-stale-element-error-in-base' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146033">Fix broken master</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146202">Use fixed date for failing specs [16.9]</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146031">Backport 'pb-fix-broken-master-elastic' into 16.9</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145946">Backport Fix Search::Zoekt.index? logic to 16.9</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146036">Backport 'Don't escape search term in modal twice' into 16.9</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146315">Backport 'add-praefect-to-release-environment-template'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146035">Backport 'Shows branch name in non-blob…scopes' into 16.9</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146181">Backport: Geo - Fix container repositories checksum mismatch errors</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146074">Backport 145801 (Fix CI linter error when repository is empty) to 16.9</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7444">Merge branch 'remove-pi-os-12-release' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145036">Backport to 16.9: Fix Geo: Personal snippets not syncing</a></li>
</ul>
<h3 id="1684">16.8.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145037">Backport to 16.8: Fix Geo: Personal snippets not syncing</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145451">Backport to 16.8: Fix pg_dump failing with multiple PG read-replicas</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146233">Update tests for broken 16.8</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146316">Backport 'add-praefect-to-release-environment-template'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146183">Backport: Geo - Fix container repositories checksum mismatch errors</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146073">Backport 145801 (Fix CI linter error when repository is empty) to 16.8</a></li>
</ul>
<h3 id="1677">16.7.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145569">Backport to 16.7: Fix pg_dump failing with multiple PG read-replicas</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146318">Merge branch 'add-praefect-to-release-environment-template'</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update GitLab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.9.1, 16.8.3, 16.7.6https://about.gitlab.com/releases/2024/02/21/security-release-gitlab-16-9-1-released/2024-02-21T00:00:00+00:002024-02-21T00:00:00+00:00Nikhil George<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.9.1, 16.8.3, 16.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-in-users-profile-page">Stored-XSS in user's profile page</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#user-with-admin_group_members-permission-can-invite-other-groups-to-gain-owner-access">User with "admin_group_members" permission can invite other groups to gain owner access</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-issue-in-the-codeowners-reference-extractor">ReDoS issue in the Codeowners reference extractor</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#ldap-user-can-reset-password-using-secondary-email-and-login-using-direct-authentication">LDAP user can reset password using secondary email and login using direct authentication</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#bypassing-group-ip-restriction-settings-to-access-environment-details-of-projects-through-environmentsoperations-dashboard">Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#users-with-the-guest-role-can-change-custom-dashboard-projects-settings-for-projects-in-the-victim-group">Users with the <code>Guest</code> role can change <code>Custom dashboard projects</code> settings for projects in the victim group</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#group-member-with-sub-maintainer-role-can-change-title-of-shared-private-deploy-keys">Group member with sub-maintainer role can change title of shared private deploy keys</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#bypassing-approvals-of-codeowners">Bypassing approvals of CODEOWNERS</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="stored-xss-in-users-profile-page">Stored-XSS in user's profile page</h3>
<p>An issue has been discovered in GitLab CE/EE affecting version 16.9 only. A crafted payload added to the user profile page could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1451">CVE-2024-1451</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="user-with-admin_group_members-permission-can-invite-other-groups-to-gain-owner-access">User with "admin_group_members" permission can invite other groups to gain owner access</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L</code>, 6.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6477">CVE-2023-6477</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-issue-in-the-codeowners-reference-extractor">ReDoS issue in the Codeowners reference extractor</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6736">CVE-2023-6736</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="ldap-user-can-reset-password-using-secondary-email-and-login-using-direct-authentication">LDAP user can reset password using secondary email and login using direct authentication</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.2, all versions starting from 16.8 before 16.8.2, all versions starting from 16.9 before 16.9.2. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1525">CVE-2024-1525</a>.</p>
<p>This vulnerability was discovered internally by a GitLab team member, <a href="https://gitlab.com/dblessing">Drew Blessing</a>.</p>
<h3 id="bypassing-group-ip-restriction-settings-to-access-environment-details-of-projects-through-environmentsoperations-dashboard">Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4895">CVE-2023-4895</a>.</p>
<p>Thanks <a href="https://hackerone.com/albatraoz">albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="users-with-the-guest-role-can-change-custom-dashboard-projects-settings-for-projects-in-the-victim-group">Users with the <code>Guest</code> role can change <code>Custom dashboard projects</code> settings for projects in the victim group</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the <code>Guest</code> role can change <code>Custom dashboard projects</code> settings contrary to permissions. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0861">CVE-2024-0861</a>.</p>
<p>Thanks <a href="https://hackerone.com/them4les_l1r">them4les_l1r</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="group-member-with-sub-maintainer-role-can-change-title-of-shared-private-deploy-keys">Group member with sub-maintainer role can change title of shared private deploy keys</h3>
<p>An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3509">CVE-2023-3509</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="bypassing-approvals-of-codeowners">Bypassing approvals of CODEOWNERS</h3>
<p>An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N</code>, 3.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0410">CVE-2024-0410</a>.</p>
<p>Thanks <a href="https://hackerone.com/ali_shehab">ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/issues/441094">Invalidate markdown cache to clear up stored XSS</a></li>
</ul>
<h3 id="1691">16.9.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144758">Merge branch 'ac-fix-16-9-0-changelog' into 'master'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144759">[Backport] Revert '437616_fix_changelog_tag_detection'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144956">Backport Web IDE upgrade into 16.9</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144995">Fix deny_all_requests_except_allowed of AddressableUrlValidator</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144952">Introduce back ci_pipeline_variables routing table FF</a></li>
</ul>
<h3 id="1683">16.8.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6674">Backport 'jc/fix-add-tree-entry' into 16-8-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144119">Allow creation of group-level custom-roles on self-managed instances</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144217">Backport 'Fix stable cache for quick actions'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144355">Fix X.509 commit signing for OpenSSL 3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144349">Fix urlblocker validate calls with more options</a></li>
</ul>
<h3 id="1676">16.7.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6675">Backport jc/fix-add-tree-entry into 16-7-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144357">Fix X.509 commit signing for OpenSSL 3</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.8.2, 16.7.5, 16.6.7https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/2024-02-07T00:00:00+00:002024-02-07T00:00:00+00:00Ottilia Westerlund<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.8.2, 16.7.5, 16.6.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#restrict-group-access-token-creation-for-custom-roles">Restrict group access token creation for custom roles</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#project-maintainers-can-bypass-groups-scan-result-policy-block_branch_modification-setting">Project maintainers can bypass group's scan result policy <code>block_branch_modification</code> setting</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#redos-in-ci/cd-pipeline-editor-while-verifying-pipeline-syntax">ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#resource-exhaustion-using-graphql-vulnerabilitiescountbyday">Resource exhaustion using GraphQL <code>vulnerabilitiesCountByDay</code></a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="restrict-group-access-token-creation-for-custom-roles">Restrict group access token creation for custom roles</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.8 before
16.8.2. When a user is assigned a custom role with manage_group_access_tokens permission,
they may be able to create group access tokens with Owner privileges, which may lead to privilege escalation.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1250">CVE-2024-1250</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/rshambhuni">Rohit Shambhuni</a>.</p>
<h3 id="project-maintainers-can-bypass-groups-scan-result-policy-block_branch_modification-setting">Project maintainers can bypass group's scan result policy <code>block_branch_modification</code> setting</h3>
<p>An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H</code>, 6.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6840">CVE-2023-6840</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="redos-in-cicd-pipeline-editor-while-verifying-pipeline-syntax">ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax.</h3>
<p>A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6386">CVE-2023-6386</a>.</p>
<p>Thanks <code>Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="resource-exhaustion-using-graphql-vulnerabilitiescountbyday">Resource exhaustion using GraphQL <code>vulnerabilitiesCountByDay</code></h3>
<p>An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL <code>vulnerabilitiesCountByDay</code>.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1066">CVE-2024-1066</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/bwill">Brian Williams</a>.</p>
<h3 id="update-to-postgresql-1410-and-1313">Update to PostgreSQL 14.10 and 13.13</h3>
<p>PostgreSQL has been updated.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="1682">16.8.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1714">Gitaly: properly set PYTHON_TAG in CI, for Dockerfile (16.8)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142960">Update GDK base build image and update QA GEM</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142919">Revert "Validate scopes for importing collaborators"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142926">Backport !142896 into 16.8 stable branch</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143172">Update dependency prometheus-client-mmap to '~> 1.1', '>= 1.1.1'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143173">Defer ConnectionPool instrumentation setup</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143302">Add item_to_preload method in helper and migrations to prevent N+1 query</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143316">Fix bug for devfile with multiple container components</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143526">Backport "Fix Redis 6.0 compatibility breakage with Sidekiq 7 gem"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142906">Finalize UUID backfilling before performing cleanup</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7402">Backport - Ensure post upgrade steps are run after geo_pg_upgrade</a></li>
</ul>
<h3 id="1675">16.7.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143174">Update dependency prometheus-client-mmap to '~> 1.1', '>= 1.1.1'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143500">Backport UUID migration finalization to 16.7</a></li>
</ul>
<h3 id="1667">16.6.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1708">Add missing IMAGE_TAG_EXT to referenced PostgreSQL image</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143579">Backport: Update GDK base build image</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7388">[Backport] Control runner tags for package promotion via env vars</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/2024-01-25T00:00:00+00:002024-01-25T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.8.1, 16.7.4, 16.6.6, 16.5.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com and GitLab Dedicated environments are already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#arbitrary-file-write-while-creating-workspace">Arbitrary file write while creating workspace</a></td>
<td>Critical</td>
</tr>
<tr>
<td><a href="#redos-in-cargotoml-blob-viewer">ReDoS in <code>Cargo.toml</code> blob viewer</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#arbitrary-api-put-requests-via-html-injection-in-users-name">Arbitrary API PUT requests via HTML injection in user's name</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#disclosure-of-the-public-email-in-tags-rss-feed">Disclosure of the public email in Tags RSS Feed</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#non-member-can-update-mr-assignees-of-owned-mrs">Non-Member can update MR Assignees of owned MRs</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h3 id="arbitrary-file-write-while-creating-workspace">Arbitrary file write while creating workspace</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
This is a critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0402">CVE-2024-0402</a>.</p>
<p>The fix for this security vulnerability has been backported to 16.5.8 in addition to 16.6.6, 16.7.4, and 16.8.1. GitLab 16.5.8 <em>only</em> includes a fix for this vulnerability and does <em>not</em> contain any of the other fixes or changes mentioned in this blog post.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/joernchen">joernchen</a>.</p>
<h3 id="redos-in-cargotoml-blob-viewer">ReDoS in <code>Cargo.toml</code> blob viewer</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a <code>Cargo.toml</code> containing maliciously crafted input.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6159">CVE-2023-6159</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="arbitrary-api-put-requests-via-html-injection-in-users-name">Arbitrary API PUT requests via HTML injection in user's name</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5933">CVE-2023-5933</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="disclosure-of-the-public-email-in-tags-rss-feed">Disclosure of the public email in Tags RSS Feed</h3>
<p>An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5612">CVE-2023-5612</a>.</p>
<p>Thanks <a href="https://hackerone.com/erruqill">erruqill</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="non-member-can-update-mr-assignees-of-owned-mrs">Non-Member can update MR Assignees of owned MRs</h3>
<p>An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project .
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0456">CVE-2024-0456</a>.</p>
<p>Thanks to <a href="https://gitlab.com/Taucher2003">Niklas</a> for reporting this vulnerability.</p>
<h3 id="update-xmlsoftlibxml2-to--v2116">Update xmlsoft/libxml2 to >= v2.11.6</h3>
<p>The <code>xmlsoft/libxml2</code> version has been upgraded to 2.12.3 to mitigate <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322">CVE-2023-45322</a>.</p>
<h3 id="upgrade-redis-to-address-cve-2023-41056-redis-rce">Upgrade redis to address CVE-2023-41056 (Redis RCE)</h3>
<p>Redis has been upgraded to version 7.0.15 to mitigate <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41056">CVE-2023-41056</a>.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="1681">16.8.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142344">Update dependency gitlab-glfm-markdown to '~> 0.0.11'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142307">Backport Redis migration to 16.8</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142398">[Backport] Optimize garbage collection process</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142628">[Backport] Bump GitLab Shell version to 14.33.0</a></li>
</ul>
<h3 id="1674">16.7.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141413">Backport - Bring legacy verification behavior back for repositories</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7352">Sync chef-gem and chef-bin (16.7)</a></li>
</ul>
<h3 id="1666">16.6.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141821">Backport: Move release-environments pipeline to be sourced from master</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141412">Backport - Bring legacy verification behavior back for repositories</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/2024-01-11T00:00:00+00:002024-01-11T00:00:00+00:00Greg Myers<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases fixes for security vulnerabilities in security releases.
For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>. If you have not upgraded yet, be aware that there is <a href="https://about.gitlab.com/releases/2024/01/12/gitlab-16-7-3-released/">a newer patch</a> that includes additional fixes for recently discovered DB migration issue. Please upgrade to 16.7.3, 16.6.5, 16.5.7, or newer to prevent the migration issue.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#account-takeover-via-password-reset-without-user-interactions">Account Takeover via password reset without user interactions</a></td>
<td>Critical</td>
</tr>
<tr>
<td><a href="#bypass-codeowners-approval-removal">Bypass CODEOWNERS approval removal</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#attacker-can-abuse-slackmattermost-integrations-to-execute-slash-commands-as-another-user">Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#workspaces-able-to-be-created-under-different-root-namespace">Workspaces able to be created under different root namespace</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#commit-signature-validation-ignores-headers-after-signature">Commit signature validation ignores headers after signature</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="account-takeover-via-password-reset-without-user-interactions">Account Takeover via Password Reset without user interactions</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
This is a Critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</code>, 10.0).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028">CVE-2023-7028</a>.</p>
<p>This security fix has been backported to GitLab versions and 16.1.6, 16.2.9, 16.3.7, and 16.4.5 in addition to 16.5.6, 16.6.4, and 16.7.2.</p>
<p>Thanks <a href="https://hackerone.com/asterion04">asterion04</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="faq">FAQ</h3>
<p><strong>What should I do if I believe my GitLab instance is compromised?</strong></p>
<p><em>In addition to following your incident response plan</em></p>
<ol>
<li>Apply the Critical Security Release to your GitLab instance</li>
<li>Enable <a href="https://docs.gitlab.com/ee/security/two_factor_authentication.html">Two-Factor Authentication</a> (2FA) for all GitLab accounts</li>
<li>Rotate all secrets stored in GitLab:
<ol>
<li>All credentials, including GitLab account passwords</li>
<li>API tokens</li>
<li>Any certificates</li>
<li>Any other secrets</li>
</ol>
</li>
<li>Follow steps in our incident response guide, <a href="https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#suspected-compromised-user-account">here</a></li>
</ol>
<p><strong>Who is impacted by this?</strong></p>
<p>GitLab self-managed instances using the following affected versions:</p>
<ul>
<li>16.1 to 16.1.5</li>
<li>16.2 to 16.2.8</li>
<li>16.3 to 16.3.6</li>
<li>16.4 to 16.4.4</li>
<li>16.5 to 16.5.5</li>
<li>16.6 to 16.6.3</li>
<li>16.7 to 16.7.1</li>
</ul>
<p>Within these versions, all authentication mechanisms are impacted.
Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login.</p>
<p><strong>What actions should I take?</strong></p>
<ul>
<li>Upgrade self-managed instances to a <a href="https://about.gitlab.com/releases/categories/releases/">patched version</a> following our upgrade path. Do not skip upgrade stops as this could create instability.
<ul>
<li>Note: 16.3.x is a <a href="https://docs.gitlab.com/ee/update/#required-upgrade-stops">required upgrade stop</a> in the <a href="https://docs.gitlab.com/ee/update/#upgrade-paths">GitLab upgrade path</a>.</li>
</ul>
</li>
<li>Enable <a href="https://docs.gitlab.com/ee/security/two_factor_authentication.html">Two-Factor Authentication</a> (2FA) for all GitLab accounts, especially for users with elevated privileges (e.g. administrator accounts).</li>
</ul>
<p><strong>Has the vulnerability been resolved?</strong></p>
<p>This vulnerability was resolved with this security release.</p>
<p><strong>Were any accounts actually compromised due to this vulnerability?</strong></p>
<p>We have not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances. Self-managed customers can review their logs to check for possible attempts to exploit this vulnerability:</p>
<ul>
<li>Check <a href="https://docs.gitlab.com/ee/administration/logs/#production_jsonlog">gitlab-rails/production_json.log</a> for HTTP requests to the <code>/users/password</code> path with params.value.email consisting of a JSON array with <em>multiple</em> email addresses.</li>
<li>Check <a href="https://docs.gitlab.com/ee/administration/logs/#audit_jsonlog">gitlab-rails/audit_json.log</a> for entries with <code>meta.caller_id</code> of <code>PasswordsController#create</code> and <code>target_details</code> consisting of a JSON array with <em>multiple</em> email addresses.</li>
</ul>
<p><strong>When was the vulnerability introduced?</strong></p>
<p>The vulnerability was introduced in 16.1.0 on May 1, 2023.</p>
<p><strong>How was the vulnerability discovered?</strong></p>
<p>The vulnerability was responsibly reported through our Bug Bounty program.</p>
<p><strong>What security measures do you have in place to prevent such vulnerabilities?</strong></p>
<ul>
<li>We have added multiple tests that validate the password reset logic as a whole, in particular handling of email provided, the email generation, and content to prevent similar vulnerabilities.</li>
<li>Security reviews are a required part of the MR checklist that developers must complete.</li>
<li>We have a code review process that requires multiple approvals for changes.</li>
<li>We have started the <a href="https://handbook.gitlab.com/handbook/security/root-cause-analysis/">Root Cause Analysis process</a> in order to determine a comprehensive list of follow-up actions, including ways to prevent vulnerabilities like this one.</li>
<li>We have a <a href="https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html">two-factor authentication feature</a> that prevents such a vulnerability if enabled. It is currently enabled for all GitLab Team Members.</li>
<li>We have added additional developer documentation in the code base to ensure implementation and security considerations are available to engineers working in this area in the future.</li>
<li>Revised the implementation logic to not support the submission of multiple email addresses for reset links.</li>
</ul>
<p><strong>How did this happen?</strong></p>
<p>A change was made in 16.1.0 to allow users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process. The bug has been fixed with this patch, and as mentioned above, we have implemented a number of preventive security measures to protect customers.</p>
<p><strong>Does this affect me if I use an Identity Provider, like Okta or Azure AD?</strong></p>
<p>Users without SSO enforcement are vulnerable. If your configuration allows a username and password to be used in addition to SSO options, then you are impacted. Disabling all password authentication options via <a href="https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#password-authentication-enabled">Sign-in restrictions settings</a> will mitigate the vulnerability for Self-Managed customers that have an external identity provider configured, as this will disable the ability to perform password reset.</p>
<p><strong>Am I affected by this vulnerability if I have 2FA enforced?</strong></p>
<p>An attacker will not be able to takeover your account if you have 2FA enabled. They may still be able to reset your password but will not be able to access your second factor authentication method. If you are suddenly redirected to login, or see a reset email triggered, please reset your password.</p>
<p><strong>Does this vulnerability affect GitLab Runner?</strong></p>
<p>No, this vulnerability does not affect GitLab Runner. This vulnerability affected the GitLab Rails codebase for impacted versions of GitLab itself. GitLab Runner has a separate code base that is unaffected.</p>
<h3 id="bypass-codeowners-approval-removal">Bypass CODEOWNERS approval removal</h3>
<p>An issue has been discovered in GitLab affecting all versions starting from 15.3 before 16.5.5, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N</code>, 7.6).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4812">CVE-2023-4812</a>.</p>
<p>Thanks <a href="https://hackerone.com/ali_shehab">ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="attacker-can-abuse-slackmattermost-integrations-to-execute-slash-commands-as-another-user">Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user</h3>
<p>Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse Slack/Mattermost integrations to execute slash commands as another user.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 7.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5356">CVE-2023-5356</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="workspaces-able-to-be-created-under-different-root-namespace">Workspaces able to be created under different root namespace</h3>
<p>An improper access control vulnerability exists in GitLab Workspaces affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N</code>, 6.6).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6955">CVE-2023-6955</a>.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/j.seto">@j.seto</a>.</p>
<h3 id="commit-signature-validation-ignores-headers-after-signature">Commit signature validation ignores headers after signature</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2030">CVE-2023-2030</a>.</p>
<p>Thanks <a href="https://hackerone.com/lotsofloops">lotsofloops</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="1672">16.7.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1688">Backport 16.7: Clean mocked tags from assets</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140347">Backport: Solving database cross joins on HookData::ProjectBuilder</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140621">Fix order-dependent Sidekiq config spec failures</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140772">Harden Internal Events CLI specs against flakiness</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140892">Enable Apollo Boards by default</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140934">Backport "Add missing ci_sources_pipelines indexes for self-host" 16.7</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7338">Temporarily pin Faraday related gems</a></li>
</ul>
<h3 id="1664">16.6.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1675">Merge branch 'ci-clean-mocked-tags' into '16-6-stable'</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1689">Backport 16.6 : Clean mocked tags from assets</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/139540">Backport-Search::IndexRepairService using Repository index for projects</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141018">Backport !140718 into 16.6 stable branch</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7337">Temporarily pin Faraday related gems</a></li>
</ul>
<h3 id="1656">16.5.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1678">CI: clean mocked tags from assets, don't pollute artifacts (backport to 16.5)</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1690">Backport 16.5 : Clean mocked tags from assets</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6583">Backport 16.5: Fix chatty loopWriter logs when log level config is empty</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141027">Bump allure-report and backport clickhouse version fix to 16.5</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7336">Temporarily pin Faraday related gems</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.6.2, 16.5.4, 16.4.4https://about.gitlab.com/releases/2023/12/13/security-release-gitlab-16-6-2-released/2023-12-13T00:00:00+00:002023-12-13T00:00:00+00:00Dominic Couture<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.6.2, 16.5.4, and 16.4.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#smartcard-authentication-allows-impersonation-of-arbitrary-user-using-user's-public-certificate">Smartcard authentication allows impersonation of arbitrary user using user's public certificate</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#when-subgroup-is-allowed-to-merge-or-push-to-protected-branches,-subgroup-members-with-the-developer-role-may-gain-the-ability-to-push-or-merge">When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#the-gitlab-web-interface-does-not-ensure-the-integrity-of-information-when-downloading-the-source-code-from-installation-packages-or-tags">The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags.</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#project-maintainer-can-escalate-to-project-owner-using-project-access-token-rotate-api">Project maintainer can escalate to Project owner using project access token rotate API</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#omission-of-double-encoding-in-file-names-facilitates-the-creation-of-repositories-with-malicious-content">Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content.</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#unvalidated-timespent-value-leads-to-unable-to-load-issues-on-issue-board">Unvalidated timeSpent value leads to unable to load issues on Issue board</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#developer-can-bypass-predefined-variables-via-rest-api">Developer can bypass predefined variables via REST API</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#auditor-users-can-create-merge-requests-on-projects-they-dont-have-access-to">Auditor users can create merge requests on projects they don't have access to</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="smartcard-authentication-allows-impersonation-of-arbitrary-user-using-users-public-certificate">Smartcard authentication allows impersonation of arbitrary user using user's public certificate</h3>
<p>An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</code>, 7.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6680">CVE-2023-6680</a>.</p>
<p>Thanks Lucas Serrano from PEReN (<a href="https://gitlab.com/LSerranoPEReN">@LSerranoPEReN</a>) for reporting this vulnerability.</p>
<h2 id="when-subgroup-is-allowed-to-merge-or-push-to-protected-branches-subgroup-members-with-the-developer-role-may-gain-the-ability-to-push-or-merge">When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge</h2>
<p>An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6564">CVE-2023-6564</a>.</p>
<p>This vulnerability has been discovered internally by a GitLab team member.</p>
<p>The following script can help you identify projects that may be subject to a vulnerable configuration. This script can be used to create a CSV file listing projects that have a group set as "Allowed to merge" or "Allowed to push and merge" along with the web_url and project_id for the project and the group_name/group_id for the group. Note that this is not an indication that unauthorized changes were made to protected branches, but rather an indication that these projects were subject to this vulnerable configuration. For impacted projects, customers will need to check merge requests that were merged on their self-managed GitLab instances running 16.4.3, 16.5.3, or 16.6.1 prior to updating to 16.4.4, 16.5.4, or 16.6.2 or on GitLab.com prior to 2023-12-04 18:10 UTC.</p>
<details><summary>Click to expand the script</summary>
```sh
## install `glab` (if not already installed)
# https://gitlab.com/gitlab-org/cli#installation
## install `jq` (if not already installed)
# https://jqlang.github.io/jq/download/
# authenticate with `glab` as Admin (self-managed) or group owner (SaaS)
glab auth login
## get `project_id` and `web_url` for all projects at the instance level (self-managed) or group level (SaaS), save it as `project-list.csv`
# self-managed - instance level (use Admin PAT for authentication)
glab api --hostname "self-managed-gitlab.example.com" --paginate projects 2>> error.log | jq -c '.[]' | jq -rc '[.id, .web_url] | @csv' | tee -a project-list.csv
# SaaS - group level (use group owner PAT for authentication)
glab api --paginate "groups/$GROUP_ID/projects" 2>> error.log | jq -c '.[]' | jq -rc '[.id, .web_url] | @csv' | tee -a project-list.csv
## add headers to protected_branch_report.csv file
echo "project_id, web_url, group_name_push_access, group_id_push_access, group_name_merge_access, group_id_merge_access" > protected_branch_report.csv
## loop through each project to check for protected branches that have a group with push or merge access
while IFS=',' read -r PROJECT_ID WEB_URL; do
glab api "projects/$PROJECT_ID/protected_branches" 2>> error.log \
| jq -c '.[]' \
| jq 'select((any(.push_access_levels[]; .group_id != null and .access_level == 40)) or (any(.merge_access_levels[]; .group_id != null and .access_level == 40)))' 2>> error.log \
| jq -c "{project_id: $PROJECT_ID, web_url: $WEB_URL, group_id_push_access: .push_access_levels.[].group_id, group_name_push_access: .push_access_levels.[].access_level_description, group_id_merge_access: .merge_access_levels.[].group_id, group_name_merge_access: .merge_access_levels.[].access_level_description}" 2>> error.log \
| jq 'select((.group_id_push_access != null or .group_id_merge_access != null) and (.group_name_push_access != "Maintainers" or .group_name_merge_access != "Maintainers"))' 2>> error.log \
| jq -rc '[.project_id, .web_url, .group_name_push_access, .group_id_push_access, .group_name_merge_access, .group_id_merge_access] | @csv' \
| tee -a protected_branch_report.csv
done < project-list.csv
```
GitLab has conducted limited testing to validate this script. As such this script is provided AS-IS and GitLab makes no warranties of any kind. GITLAB HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
</details>
<h3 id="the-gitlab-web-interface-does-not-ensure-the-integrity-of-information-when-downloading-the-source-code-from-installation-packages-or-tags">The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags.</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when source code or installation packages are pulled from a specific tag.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6051">CVE-2023-6051</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="project-maintainer-can-escalate-to-project-owner-using-project-access-token-rotate-api">Project maintainer can escalate to Project owner using project access token rotate API</h3>
<p>A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.9).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3907">CVE-2023-3907</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="omission-of-double-encoding-in-file-names-facilitates-the-creation-of-repositories-with-malicious-content">Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content.</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5512">CVE-2023-5512</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unvalidated-timespent-value-leads-to-unable-to-load-issues-on-issue-board">Unvalidated timeSpent value leads to unable to load issues on Issue board</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible to overflow the time spent on an issue that altered the details shown in the issue boards.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3904">CVE-2023-3904</a>.</p>
<p>Thanks <a href="https://hackerone.com/toukakirishima">toukakirishima</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="developer-can-bypass-predefined-variables-via-rest-api">Developer can bypass predefined variables via REST API</h3>
<p>An issue has been discovered in GitLab affecting all versions starting from 9.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. In certain situations, it may have been possible for developers to override predefined CI variables via the REST API. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5061">CVE-2023-5061</a>.</p>
<p>Thanks <a href="https://hackerone.com/ali_shehab">ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="auditor-users-can-create-merge-requests-on-projects-they-dont-have-access-to">Auditor users can create merge requests on projects they don't have access to</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N</code>, 2.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3511">CVE-2023-3511</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="1662">16.6.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1649">[Backport 16.6] Fix redis-namspace dependency version for UBI mailroom</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1658">Fix backup id parsing from backup URLs (16.6 Backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138449">Package Registry: Truncate Pypi metadata description field</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138535">Fix adding confidential child tasks</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138797">Backport Hide obsolete migration warning into 16.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138911">[16.6 Backport] Fix Admin Mode bug in DeactivateDormantUsersWorker</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138929">Backport Fix cluster reindexing service preflight check to 16.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138804">Backport Sanitize string provided to to_tsvector</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138602">Backport "Update migration to work for any fk name" to 16.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/139051">Fix Environment destroy job is retried endlessly (16.6 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138431">Allow users to authenticate via OAuth with password-based providers</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7275">Do not scan entire /var/opt/gitlab for stale pids (16.6 backport)</a></li>
</ul>
<h3 id="1654">16.5.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1641">gitlab-rails: support skipping post-migrations in db checks</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1650">[Backport 16.5] Fix redis-namspace dependency version for UBI mailroom</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137712">Backport - Truncate verification failure message to 255</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138912">[16.5 Backport] Fix Admin Mode bug in DeactivateDormantUsersWorker</a></li>
</ul>
<h3 id="1644">16.4.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1651">[Backport 16.4] Fix redis-namspace dependency version for UBI mailroom</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138913">[16.4 Backport] Fix Admin Mode bug in DeactivateDormantUsersWorker</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.6.1, 16.5.3, 16.4.3https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1-released/2023-11-30T00:00:00+00:002023-11-30T00:00:00+00:00Greg Myers
<p>Today we are releasing versions 16.6.1, 16.5.3, 16.4.3 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#xss-and-redos-in-markdown-via-banzai-pipeline-of-jira">XSS and ReDoS in Markdown via Banzai pipeline of Jira</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#members-with-admin_group_member-custom-permission-can-add-members-with-higher-role">Members with admin_group_member custom permission can add members with higher role</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#release-description-visible-in-public-projects-despite-release-set-as-project-members-only-through-atom-response">Release Description visible in public projects despite release set as project members only through atom response</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#manipulate-the-repository-content-in-the-ui-cve-2023-3401-bypass">Manipulate the repository content in the UI (CVE-2023-3401 bypass)</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#external-user-can-abuse-policy-bot-to-gain-access-to-internal-projects">External user can abuse policy bot to gain access to internal projects</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#developers-can-update-pipeline-schedules-to-use-protected-branches-even-if-they-dont-have-permission-to-merge">Developers can update pipeline schedules to use protected branches even if they don't have permission to merge</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#users-can-install-composer-packages-from-public-projects-even-when-package-registry-is-turned-off">Users can install Composer packages from public projects even when <code>Package registry</code> is turned off</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#client-side-dos-via-mermaid-flowchart">Client-side DOS via Mermaid Flowchart</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#unauthorized-member-can-gain-allowed-to-push-and-merge-access-and-affect-integrity-of-protected-branches">Unauthorized member can gain <code>Allowed to push and merge</code> access and affect integrity of protected branches</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#guest-users-can-react-emojis-on-confidential-work-items-which-they-cant-see-in-a-project">Guest users can react (emojis) on confidential work items which they cant see in a project</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="xss-and-redos-in-markdown-via-banzai-pipeline-of-jira">XSS and ReDoS in Markdown via Banzai pipeline of Jira</h3>
<p>Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allowed attacker to execute javascript in victim's browser.</p>
<p>This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6033">CVE-2023-6033</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="members-with-admin_group_member-custom-permission-can-add-members-with-higher-role">Members with admin_group_member custom permission can add members with higher role</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.5.3,
all versions starting from 16.6 before 16.6.1. When a user is assigned a custom role with <code>admin_group_member</code>` enabled, they may be able to add a member with a higher static role than themselves to the group which may lead to privilege escalation.</p>
<p>This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</code>, 8.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6396">CVE-2023-6396</a>.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/jarka">jarka</a>.</p>
<h3 id="release-description-visible-in-public-projects-despite-release-set-as-project-members-only-through-atom-response">Release Description visible in public projects despite release set as project members only through atom response</h3>
<p>An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.
It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members</p>
<p>This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3949">CVE-2023-3949</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="manipulate-the-repository-content-in-the-ui-cve-2023-3401-bypass">Manipulate the repository content in the UI (CVE-2023-3401 bypass)</h3>
<p>An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.</p>
<p>This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5226">CVE-2023-5226</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="external-user-can-abuse-policy-bot-to-gain-access-to-internal-projects">External user can abuse policy bot to gain access to internal projects</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects.</p>
<p>This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5995">CVE-2023-5995</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="client-side-dos-via-mermaid-flowchart">Client-side DOS via Mermaid Flowchart</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.</p>
<p>This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L</code>, 2.6).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4912">CVE-2023-4912</a>.</p>
<p>Thanks <a href="https://hackerone.com/toukakirishima">toukakirishima</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="developers-can-update-pipeline-schedules-to-use-protected-branches-even-if-they-dont-have-permission-to-merge">Developers can update pipeline schedules to use protected branches even if they don't have permission to merge</h3>
<p>An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.</p>
<p>This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4317">CVE-2023-4317</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="users-can-install-composer-packages-from-public-projects-even-when-package-registry-is-turned-off">Users can install Composer packages from public projects even when <code>Package registry</code> is turned off</h3>
<p>An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.</p>
<p>This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3964">CVE-2023-3964</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="unauthorized-member-can-gain-allowed-to-push-and-merge-access-and-affect-integrity-of-protected-branches">Unauthorized member can gain <code>Allowed to push and merge</code> access and affect integrity of protected branches</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the <code>Allowed to merge</code> permission as a guest user, when granted the permission through a group.</p>
<p>This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4658">CVE-2023-4658</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="guest-users-can-react-emojis-on-confidential-work-items-which-they-cant-see-in-a-project">Guest users can react (emojis) on confidential work items which they cant see in a project</h3>
<p>An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.</p>
<p>This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3443">CVE-2023-3443</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="mattermost-security-update">Mattermost Security Update</h3>
<p>Mattermost has been updated to the latest patch release to mitigate several security issues.</p>
<h3 id="update-to-pg-149-and-1312">Update to PG 14.9 and 13.12</h3>
<p>PostgreSQL has been updated to 14.9 and 13.12 to mitigate CVE-2023-39417.</p>
<h3 id="update-pcre2-to-1042">Update pcre2 to 10.42</h3>
<p><code>pcre2</code> has been updated to version 10.42 to mitigate CVE-2022-41409.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="1661">16.6.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1639">Install Gitaly dependencies for project archiving (16.6 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137167">Fix intermittent 404 errors loading GitLab Pages</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136888">Prefer custom sort order with search in users API</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136902">Backport "Fix group page erroring because of nil user" to 16-6-stable-ee</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137296">Skip encrypted settings logic for Redis when used by Mailroom</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137687">Allow <code>+</code> char in abuse detection for global search</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137800">Backport "Move unlock pipeline cron scheduler out of ee" to 16.6</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137899">Fix bug with pages_deployments files not being deleted on disk</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137711">Backport - Truncate verification failure message to 255</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138131">Backport "Revert "Merge branch 'sc1-release-goredis' into 'master'""</a></li>
</ul>
<h3 id="1653">16.5.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1636">Backport 10871d71b171db38701bfefe15883b05c234ca6d to <code>16-5-stable</code></a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136934">Geo: Reduce batch size of verification state backfill</a></li>
</ul>
<h3 id="1643">16.4.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1622">Backport 10871d71b171db38701bfefe15883b05c234ca6d to <code>16-4-stable</code></a></li>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6554">Backport to 16.4 the fix for test failure due to "not-existing.com" being registered</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135647">Bump <code>asdf-bootstrapped-verify</code> version on 16.4</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/133886">Fix bulk batch export of badges and uploads</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136764">[16.4] ci: Fix broken master by not reading GITLAB_ENV</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136433">Fix assign security check permission checks</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136774">For 16.4: Fix Geo verification state backfill job can exceed batch size</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136937">Geo: Reduce batch size of verification state backfill</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.5.1, 16.4.2, 16.3.6https://about.gitlab.com/releases/2023/10/31/security-release-gitlab-16-5-1-16-4-2-16-3-6-released/2023-10-31T00:00:00+00:002023-10-31T00:00:00+00:00Greg Alfaro<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing versions 16.5.1, 16.4.2, 16.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>.
You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>.
In addition, the issues detailing each vulnerability are made public on our
<a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a>
30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
<a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<p>On 2023-10-20 11:03 UTC, GitLab internally discovered (CVE-2023-5831) that a change in the GitLab sidebar feature resulted in self-managed GitLab instances sending version-checks to version.gitlab.com each time they opened a page on their GitLab instance. This means that the hostnames and current versions of self-managed GitLab instances were being sent to version.gitlab.com any time a user of that GitLab instance opened any page, regardless of whether or not the sending of version-check was enabled. This information was only accessible to some GitLab team members and was not exposed externally, and GitLab is working to purge the erroneously collected data from our database.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#disclosure-of-cicd-variables-using-custom-project-templates">Disclosure of CI/CD variables using Custom project templates</a></td>
<td>High</td>
</tr>
<tr>
<td><a href="#gitlab-omnibus-dos-crash-via-oom-with-ci-catalogs">GitLab omnibus DoS crash via OOM with CI Catalogs</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#parsing--gitlab-ciyml-with-large-string-via-timeout-input-leads-to-denial-of-service">Parsing gitlab-ci.yml with large string via <code>timeout</code> input leads to Denial of Service</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#dos---blocking-fifo-files-in-tar-archives">DoS - Blocking FIFO files in Tar archives</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#titles-exposed-by-service-desk-template">Titles exposed by service-desk template</a></td>
<td>Medium</td>
</tr>
<tr>
<td><a href="#approval-on-protected-environments-can-be-bypassed">Approval on protected environments can be bypassed</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#version-information-disclosure-when-super_sidebar_logged_out-feature-flag-is-enabled">Version information disclosure when <code>super_sidebar_logged_out</code> feature flag is enabled</a></td>
<td>Low</td>
</tr>
<tr>
<td><a href="#add-abuse-detection-for-search-syntax-filter-pipes">Add abuse detection for search syntax filter pipes</a></td>
<td>Low</td>
</tr>
</tbody>
</table>
<h3 id="disclosure-of-cicd-variables-using-custom-project-templates">Disclosure of CI/CD variables using Custom project templates</h3>
<p>An issue has been discovered in GitLab affecting all versions starting from 11.6 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates.
This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N</code>, 8.5).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3399">CVE-2023-3399</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="gitlab-omnibus-dos-crash-via-oom-with-ci-catalogs">GitLab omnibus DoS crash via OOM with CI Catalogs</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5825">CVE-2023-5825</a>.</p>
<p>Thanks <a href="https://hackerone.com/blakbat">blakbat</a> for reporting this vulnerability through our HackerOne bug bounty program"</p>
<h3 id="parsing--gitlab-ciyml-with-large-string-via-timeout-input-leads-to-denial-of-service">Parsing gitlab-ci.yml with large string via <code>timeout</code> input leads to Denial of Service</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file." This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3909">CVE-2023-3909</a>.</p>
<p>Thanks <a href="https://hackerone.com/akadrian">akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="dos---blocking-fifo-files-in-tar-archives">DoS - Blocking FIFO files in Tar archives</h3>
<p>An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3246">CVE-2023-3246</a>.</p>
<p>Thanks <a href="https://hackerone.com/zhutyra">zhutyra</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="titles-exposed-by-service-desk-template">Titles exposed by service-desk template</h3>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5600">CVE-2023-5600</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="approval-on-protected-environments-can-be-bypassed">Approval on protected environments can be bypassed</h3>
<p>An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4700">CVE-2023-4700</a>.</p>
<p>Thanks <a href="https://hackerone.com/gregodfather">Gregor Pirolt</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="version-information-disclosure-when-super_sidebar_logged_out-feature-flag-is-enabled">Version information disclosure when <code>super_sidebar_logged_out</code> feature flag is enabled</h3>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the <code>super_sidebar_logged_out</code> feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5831">CVE-2023-5831</a>.</p>
<p>This vulnerability was discovered internally by the GitLab team.</p>
<h3 id="add-abuse-detection-for-search-syntax-filter-pipes">Add abuse detection for search syntax filter pipes</h3>
<p>An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release. We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability was found internally by GitLab.</p>
<h3 id="update-curl-to-v840">Update curl to v8.4.0</h3>
<p>curl has been updated to v8.4.0 to mitigate <a href="https://curl.se/docs/CVE-2023-38545.html">CVE-2023-38545</a>.</p>
<h3 id="update-mermaid-to-1050">Update mermaid to 10.5.0</h3>
<p>mermaid has been updated to 10.5.0 to mitigate a security issue.</p>
<h3 id="patch-nginx-for-cve-2023-44487">Patch NGINX for CVE-2023-44487</h3>
<p>NGINX has been patched to mitigate CVE-2023-44487.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="1651">16.5.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134835">Revert better-error-messages-for-pull-mirroring</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134867">Update post migration to drop column only if it exists</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135226">Downgrade vue-apollo to prevent auto-restarting subscriptions on error</a></li>
</ul>
<h3 id="1642">16.4.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1554">UBI: Explicitly add webrick gem to mailroom build</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/133882">Update VERSION files</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/133877">Update dependency prometheus-client-mmap to '>= 0.28.1'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/133833">Backport: fix migration when commit_message_negative_regex is missing</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134197">Backport to 16.4: Geo: Avoid getting resources stuck in Queued</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134481">Fix pipeline schedules view when owner is nil</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134565">Quarantine flaky delete_job_spec:46</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134264">Create Geo event when project is created</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134328">Fix bug with batched gitaly ref deletion duplicates</a></li>
</ul>
<h3 id="1636">16.3.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1555">UBI: Explicitly add webrick gem to mailroom build</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1499">Backport 16.3: Upgrade exiftool to 12.65</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135401">Fixes the 16-3-stable branch</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134196">Backport to 16.3: Geo: Avoid getting resources stuck in Queued</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.4.1, 16.3.5, and 16.2.8https://about.gitlab.com/releases/2023/09/28/security-release-gitlab-16-4-1-released/2023-09-28T00:00:00+00:002023-09-28T00:00:00+00:00Félix Veillette-Potvin<p>Today we are releasing versions 16.4.1, 16.3.5, and 16.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#attacker-can-add-other-projects-policy-bot-as-member-to-their-own-project-and-use-that-bot-to-trigger-pipelines-in-victims-project">Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#group-import-allows-impersonation-of-users-in-ci-pipelines">Group import allows impersonation of users in CI pipelines</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#developers-can-bypass-code-owners-approval-by-changing-a-mrs-base-branch">Developers can bypass code owners approval by changing a MR's base branch</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#leaking-source-code-of-restricted-project-through-a-fork">Leaking source code of restricted project through a fork</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#third-party-library-consul-requires-enable-script-checks-to-be-false-to-enable-patch">Third party library Consul requires enable-script-checks to be False to enable patch</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#service-account-not-deleted-when-namespace-is-deleted-allowing-access-to-internal-projects">Service account not deleted when namespace is deleted allowing access to internal projects</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#enforce-sso-settings-bypassed-for-public-projects-for-members-without-identity">Enforce SSO settings bypassed for public projects for Members without identity</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#removed-project-member-can-write-to-protected-branches">Removed project member can write to protected branches</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthorised-association-of-ci-jobs-for-machine-learning-experiments">Unauthorised association of CI jobs for Machine Learning experiments</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#force-pipelines-to-not-have-access-to-protected-variables-and-will-likely-fail-using-tags">Force pipelines to not have access to protected variables and will likely fail using tags</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-create-a-fork-relationship-between-existing-projects">Maintainer can create a fork relationship between existing projects</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#disclosure-of-masked-ci-variables-via-processing-cicd-configuration-of-forks">Disclosure of masked CI variables via processing CI/CD configuration of forks</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#asset-proxy-bypass-using-non-ascii-character-in-asset-uri">Asset Proxy Bypass using non-ASCII character in asset URI</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#unauthorized-member-can-gain-allowed-to-push-and-merge-access-and-affect-integrity-of-protected-branches">Unauthorized member can gain <code>Allowed to push and merge</code> access and affect integrity of protected branches</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#removed-developer-can-continue-editing-the-source-code-of-a-public-project">Removed Developer can continue editing the source code of a public project</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#a-project-reporter-can-leak-owners-sentry-instance-projects">A project reporter can leak owner's Sentry instance projects</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#math-rendering-in-markdown-can-escape-container-and-hijack-clicks">Math rendering in markdown can escape container and hijack clicks</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="attacker-can-add-other-projects-policy-bot-as-member-to-their-own-project-and-use-that-bot-to-trigger-pipelines-in-victims-project">Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/982 -->
<p>A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 8.2). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5207">CVE-2023-5207</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="group-import-allows-impersonation-of-users-in-ci-pipelines">Group import allows impersonation of users in CI pipelines</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/980 -->
<p>Two issues have been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports. These are a high severity issues (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 8.2). They are now mitigated in the latest release and are assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5106">CVE-2023-5106</a>.</p>
<p>These issues have been discovered internally by GitLab team member <a href="https://gitlab.com/joernchen">Joern Schneeweisz</a>.</p>
<h2 id="developers-can-bypass-code-owners-approval-by-changing-a-mrs-base-branch">Developers can bypass code owners approval by changing a MR's base branch</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/976 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting 15.3 prior to prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4379">CVE-2023-4379</a>.</p>
<p>This issue was reported by a customer.</p>
<h2 id="leaking-source-code-of-restricted-project-through-a-fork">Leaking source code of restricted project through a fork</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/939 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that an unauthorised user to fork a public project. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3413">CVE-2023-3413</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="third-party-library-consul-requires-enable-script-checks-to-be-false-to-enable-patch">Third party library Consul requires enable-script-checks to be False to enable patch</h2>
<!-- https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/issues/99 -->
<p>Patch in third party library Consul requires 'enable-script-checks' to be set to False. This only affects GitLab-EE. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5332">CVE-2023-5332</a>.</p>
<p>This issue was reported by a customer.</p>
<h2 id="service-account-not-deleted-when-namespace-is-deleted-allowing-access-to-internal-projects">Service account not deleted when namespace is deleted allowing access to internal projects</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/962 -->
<p>A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3914">CVE-2023-3914</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="enforce-sso-settings-bypassed-for-public-projects-for-members-without-identity">Enforce SSO settings bypassed for public projects for Members without identity</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/930 -->
<p>An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3115">CVE-2023-3115</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="removed-project-member-can-write-to-protected-branches">Removed project member can write to protected branches</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/972 -->
<p>An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5198">CVE-2023-5198</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthorised-association-of-ci-jobs-for-machine-learning-experiments">Unauthorised association of CI jobs for Machine Learning experiments</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/960 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4532">CVE-2023-4532</a>.</p>
<p>Thanks <a href="https://hackerone.com/ricardobrito">ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="force-pipelines-to-not-have-access-to-protected-variables-and-will-likely-fail-using-tags">Force pipelines to not have access to protected variables and will likely fail using tags</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/955 -->
<p>Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3917">CVE-2023-3917</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-create-a-fork-relationship-between-existing-projects">Maintainer can create a fork relationship between existing projects</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/963 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3920">CVE-2023-3920</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="disclosure-of-masked-ci-variables-via-processing-cicd-configuration-of-forks">Disclosure of masked CI variables via processing CI/CD configuration of forks</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/964 -->
<p>An information disclosure issue in GitLab CE/EE affecting all versions from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0989">CVE-2023-0989</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="asset-proxy-bypass-using-non-ascii-character-in-asset-uri">Asset Proxy Bypass using non-ASCII character in asset URI</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/973 -->
<p>An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3906">CVE-2023-3906</a>.</p>
<p>Thanks <a href="https://hackerone.com/afewgoats">afewgoats</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthorized-member-can-gain-allowed-to-push-and-merge-access-and-affect-integrity-of-protected-branches">Unauthorized member can gain <code>Allowed to push and merge</code> access and affect integrity of protected branches</h2>
<p>An issue has been discovered in GitLab EE affecting all versions starting from X.Y before 16.X, all versions starting from 16.X before 16.X. It was possible for an attacker to abuse the <code>Allowed to merge</code> permission as a guest user, when granted the permission through a group. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4658">CVE-2023-4658</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="removed-developer-can-continue-editing-the-source-code-of-a-public-project">Removed Developer can continue editing the source code of a public project</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/953 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch. . This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3979">CVE-2023-3979</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="a-project-reporter-can-leak-owners-sentry-instance-projects">A project reporter can leak owner's Sentry instance projects</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/968 -->
<p>An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.x8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4.0 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2233">CVE-2023-2233</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="math-rendering-in-markdown-can-escape-container-and-hijack-clicks">Math rendering in markdown can escape container and hijack clicks</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/974 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L</code>, 3.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3922">CVE-2023-3922</a>.</p>
<p>Thanks <a href="https://hackerone.com/ammar2">ammar2</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h1 id="update-exiftool">Update Exiftool</h1>
<p>Exiftool has been updated to version 1.12 in order to mitigate security issues.</p>
<h1 id="update-mattermost">Update Mattermost</h1>
<p>Mattermost has been updated to version 8.1.2 in order to mitigate security issues.</p>
<h1 id="update-auto-deploy-image">Update Auto deploy image</h1>
<p>Auto deploy image has been updated to version 2.55.0 in order to mitigate security issues.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<h3 id="1635">16.3.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132398">Backport disable v1 package metadata sync</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 16.3.4 and 16.2.7https://about.gitlab.com/releases/2023/09/18/security-release-gitlab-16-3-4-released/2023-09-18T00:00:00+00:002023-09-18T00:00:00+00:00Nick Malcolm<p>Today we are releasing versions 16.3.4 and 16.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>. For versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4, see the <a href="#mitigations-for-impacted-versions">mitigations</a> offered below.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#attacker-can-abuse-scan-execution-policies-to-run-pipelines-as-another-user">Attacker can abuse scan execution policies to run pipeline as another user</a></td>
<td>high</td>
</tr>
</tbody>
</table>
<h2 id="attacker-can-abuse-scan-execution-policies-to-run-pipelines-as-another-user">Attacker can abuse scan execution policies to run pipelines as another user</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/975 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting
from 13.12 before 16.2.7 and all
versions starting from 16.3 before 16.3.4. It was possible for an attacker to run
pipelines as an arbitrary user via scheduled security scan policies.
This was a bypass of <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932">CVE-2023-3932</a> showing additional impact.
This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 8.2).
It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5009">CVE-2023-5009</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="mitigations-for-impacted-versions">Mitigations for impacted versions</h3>
<p>Instances running versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4 are vulnerable if both of the features below are enabled at the same time. In order to mitigate this vulnerability in situations where it's not possible to upgrade, it is required to disable one or both features.</p>
<ul>
<li><a href="https://docs.gitlab.com/ee/administration/settings/import_and_export_settings.html#enable-migration-of-groups-and-projects-by-direct-transfer">Direct transfers</a></li>
<li><a href="https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html">Security policies</a></li>
</ul>
<p><strong>If both features are turned on, the instance is in a vulnerable state.</strong></p>
<h2 id="non-security-patches">Non Security Patches</h2>
<p>This security release also includes the following non-security patches.</p>
<h3 id="1634">16.3.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131073">Use new indexer, fix removing blobs from index</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131920">Backport "Fix Geo secondary proxying Git pulls unnecessarily" to 16.3</a></li>
</ul>
<h3 id="1627">16.2.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131193">Revert "Merge branch 'md-play-all-skipped-button' into 'master'"</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.3.1, 16.2.5, and 16.1.5https://about.gitlab.com/releases/2023/08/31/security-release-gitlab-16-3-1-released/2023-08-31T00:00:00+00:002023-08-31T00:00:00+00:00Félix Veillette-Potvin<p>Today we are releasing versions 16.3.1, 16.2.5 and 16.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#privilege-escalation-of-external-user-to-internal-access-through-group-service-account">Privilege escalation of "external user" to internal access through group service account</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-sentry-token-by-changing-the-configured-url-fix-bypass">Maintainer can leak sentry token by changing the configured URL (fix bypass)</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#google-cloud-logging-private-key-showed-in-plain-text-in-gitlab-ui-leaking-to-other-group-owners">Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#information-disclosure-via-project-import-endpoint">Information disclosure via project import endpoint</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#developer-can-leak-dast-scanners-site-profile-request-headers-and-auth-password">Developer can leak DAST scanners "Site Profile" request headers and auth password</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#project-forking-outside-current-group">Project forking outside current group</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#user-is-capable-of-creating-model-experiment-and-updating-existing-run's-status-in-public-project">User is capable of creating Model experiment and updating existing run's status in public project</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#redos-in-bulk-import-api">ReDoS in bulk import API</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#pagination-for-branches-and-tags-can-be-skipped-leading-to-dos">Pagination for Branches and Tags can be skipped leading to DoS</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#internal-open-redirection-due-to-improper-handling-of-characters">Internal Open Redirection Due to Improper handling of "../" characters</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#subgroup-member-with-reporter-role-can-edit-group-labels">Subgroup Member With Reporter Role Can Edit Group Labels</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#banned-user-can-delete-package-registries">Banned user can delete package registries</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="privilege-escalation-of-external-user-to-internal-access-through-group-service-account">Privilege escalation of "external user" to internal access through group service account</h2>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3915">CVE-2023-3915</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-sentry-token-by-changing-the-configured-url-fix-bypass">Maintainer can leak sentry token by changing the configured URL (fix bypass)</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/950 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned [CVE-2023-4378](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4378.</p>
<p>Thanks <a href="https://hackerone.com/70rpedo">70rpedo</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="google-cloud-logging-private-key-showed-in-plain-text-in-gitlab-ui-leaking-to-other-group-owners">Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/940 -->
<p>An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5), and affects only GitLab EE. It is now mitigated in the latest release and is assigned [CVE-2023-3950](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3950.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="information-disclosure-via-project-import-endpoint">Information disclosure via project import endpoint</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4630">CVE-2023-4630</a>.</p>
<p>This vulnerability was found internally by a GitLab team member <a href="https://gitlab.com/rodrigo.tomonari">Rodrigo Tomonari</a>.</p>
<h2 id="developer-can-leak-dast-scanners-site-profile-request-headers-and-auth-password">Developer can leak DAST scanners "Site Profile" request headers and auth password</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/954 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which a project member can leak credentials stored in site profile. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0), and only affects GitLab EE. It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4343">CVE-2022-4343</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="project-forking-outside-current-group">Project forking outside current group</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.3 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to fork a project outside of current group by an unauthorised user. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4638">CVE-2023-4638</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="user-is-capable-of-creating-model-experiment-and-updating-existing-runs-status-in-public-project">User is capable of creating Model experiment and updating existing run's status in public project</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4018">CVE-2023-4018</a>.</p>
<p>Thanks <a href="https://hackerone.com/ricardobrito">ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h2 id="redos-in-bulk-import-api">ReDoS in bulk import API</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlahttps://about.gitlab.com/releases/2023/08/01/b/-/issues/935 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>,6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3205">CVE-2023-3205</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h2 id="pagination-for-branches-and-tags-can-be-skipped-leading-to-dos">Pagination for Branches and Tags can be skipped leading to DoS</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4647">CVE-2023-4647</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/vyaklushin">Vasilii Iakliushin</a></p>
<h2 id="internal-open-redirection-due-to-improper-handling-of---characters">Internal Open Redirection Due to Improper handling of "../" characters</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/934 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1279">CVE-2023-1279</a>.</p>
<p>Thanks <a href="https://hackerone.com/akadrian">akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="subgroup-member-with-reporter-role-can-edit-group-labels">Subgroup Member With Reporter Role Can Edit Group Labels</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0120">CVE-2023-0120</a>.</p>
<p>Thanks <a href="https://hackerone.com/drjgouveia">drjgouveia</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="banned-user-can-delete-package-registries">Banned user can delete package registries</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A namespace-level banned user can access the API. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1555">CVE-2023-1555</a>.</p>
<p>Thanks <a href="https://hackerone.com/ali_shehab">ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-commonmarker">Update commonmarker</h2>
<p>Commonmarker has been updated to version 0.23.10 in order to mitigate security issues.</p>
<h2 id="update-openssl">Update openssl</h2>
<p>Openssl has been updated to version to 1.1.1u in order to mitigate security issues.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<p>This security release also includes the following non-security patches.</p>
<h3 id="1631">16.3.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129854">Remove unified URL limitation for GitLab chart (16.3 backport)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129910">Revert migration to backfill archived in wikis</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129922">Add .net to context selector to skip live envs</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129882">Backport "Geo: Resync direct upload object stored artifacts" to 16.3</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130200">CSP: disable LFS url when not using object storage</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129971">Backport LicenseScanning fix for AutoDevOps</a></li>
</ul>
<h3 id="1625">16.2.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/6172">Backport "cgroup: using a noop manager on linux without cgroup" fix to 16.2</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128763">Adjust Danger logic for stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129883">Backport "Geo: Resync direct upload object stored artifacts" to 16.2</a></li>
</ul>
<h3 id="1615">16.1.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128779">Revert "Log rails response length" - 16.1 Backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128764">Adjust Danger logic for stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129884">Backport "Geo: Resync direct upload object stored artifacts" to 16.1</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.2.2, 16.1.3, and 16.0.8https://about.gitlab.com/releases/2023/08/01/security-release-gitlab-16-2-2-released/2023-08-01T00:00:00+00:002023-08-01T00:00:00+00:00Greg Myers<p>Today we are releasing versions 16.2.2, 16.1.3, and 16.0.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#redos-via-projectreferencefilter-in-any-markdown-fields">ReDoS via ProjectReferenceFilter in any Markdown fields</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#redos-via-autolinkfilter-in-any-markdown-fields">ReDoS via AutolinkFilter in any Markdown fields</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#an-attacker-can-run-pipeline-jobs-as-arbitrary-user">An attacker can run pipeline jobs as arbitrary user</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#regex-dos-in-harbor-registry-search">Regex DoS in Harbor Registry search</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#arbitrary-read-of-files-owned-by-the-git-user-via-malicious-targz-file-upload-using-gitlab-export-functionality">Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#stored-xss-in-web-ide-beta-via-crafted-url">Stored XSS in Web IDE Beta via crafted URL</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#securitypolicyprojectassign-mutation-does-not-authorize-security-policy-project-id"><code>securityPolicyProjectAssign</code> mutation does not authorize security policy project ID</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#possible-pages-unique-domain-overwrite">Possible Pages Unique Domain Overwrite</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#access-tokens-may-have-been-logged-when-a-query-was-made-to-an-endpoint">Access tokens may have been logged when a query was made to an endpoint</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#reflected-xss-via-plantuml-diagram">Reflected XSS via PlantUML diagram</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#the-main-branch-of-a-repository-with-a-specially-designed-name-may-allow-an-attacker-to-create-repositories-with-malicious-code">The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#invalid-start_sha-value-on-merge-requests-page-may-lead-to-denial-of-service">Invalid 'start_sha' value on merge requests page may lead to Denial of Service</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#developers-can-create-pipeline-schedules-on-protected-branches-even-if-they-dont-have-access-to-merge">Developers can create pipeline schedules on protected branches even if they don't have access to merge</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#potential-dos-due-to-lack-of-pagination-while-loading-license-data">Potential DOS due to lack of pagination while loading license data</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#leaking-emails-of-newly-created-users">Leaking emails of newly created users</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="redos-via-projectreferencefilter-in-any-markdown-fields">ReDoS via ProjectReferenceFilter in any Markdown fields</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/910 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3994">CVE-2023-3994</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryhmnlfj">ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="redos-via-autolinkfilter-in-any-markdown-fields">ReDoS via AutolinkFilter in any Markdown fields</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/925 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3364">CVE-2023-3364</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryhmnlfj">ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="an-attacker-can-run-pipeline-jobs-as-arbitrary-user">An attacker can run pipeline jobs as arbitrary user</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/917 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 8.2). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932">CVE-2023-3932</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="regex-dos-in-harbor-registry-search">Regex DoS in Harbor Registry search</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/913 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible by using crafted payloads to search Harbor Registry. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0632">CVE-2023-0632</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="arbitrary-read-of-files-owned-by-the-git-user-via-malicious-targz-file-upload-using-gitlab-export-functionality">Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/926 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in <code>tar</code>, fixed in <a href="https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html"><code>tar-1.35</code></a>. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N</code>, 6.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3385">CVE-2023-3385</a>.</p>
<p>Thanks <a href="https://hackerone.com/ubercomp">ubercomp</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="stored-xss-in-web-ide-beta-via-crafted-url">Stored XSS in Web IDE Beta via crafted URL</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2164">CVE-2023-2164</a>.</p>
<p>Thanks <a href="https://hackerone.com/viridian_40826d">viridian_40826d</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="securitypolicyprojectassign-mutation-does-not-authorize-security-policy-project-id"><code>securityPolicyProjectAssign</code> mutation does not authorize security policy project ID</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/929 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 14.1 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for EE-licensed users to link any security policy project by its ID to projects or groups the user has access to, potentially revealing the security projects's configured security policies. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4002">CVE-2023-4002</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/bauerdominic">bauerdominic</a>.</p>
<h2 id="possible-pages-unique-domain-overwrite">Possible Pages Unique Domain Overwrite</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/920 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4008">CVE-2023-4008</a>.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/kassio">kassio</a>.</p>
<h2 id="access-tokens-may-have-been-logged-when-a-query-was-made-to-an-endpoint">Access tokens may have been logged when a query was made to an endpoint</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/906 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Access tokens may have been logged when a query was made to a specific endpoint. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3993">CVE-2023-3993</a>.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/mjozenazemian">mjozenazemian</a>.</p>
<h2 id="reflected-xss-via-plantuml-diagram">Reflected XSS via PlantUML diagram</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/932 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3500">CVE-2023-3500</a>.</p>
<p>Thanks <a href="https://hackerone.com/ankitsingh">ankitsingh</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="the-main-branch-of-a-repository-with-a-specially-designed-name-may-allow-an-attacker-to-create-repositories-with-malicious-code">The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/915 -->
<p>An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3401">CVE-2023-3401</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h2 id="invalid-start_sha-value-on-merge-requests-page-may-lead-to-denial-of-service">Invalid 'start_sha' value on merge requests page may lead to Denial of Service</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/928 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid 'start_sha' value on merge requests page may lead to Denial of Service as Changes tab would not load. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3900">CVE-2023-3900</a>.</p>
<p>Thanks <a href="https://hackerone.com/toukakirishima">toukakirishima</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="developers-can-create-pipeline-schedules-on-protected-branches-even-if-they-dont-have-access-to-merge">Developers can create pipeline schedules on protected branches even if they don't have access to merge</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/901 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2022">CVE-2023-2022</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="potential-dos-due-to-lack-of-pagination-while-loading-license-data">Potential DOS due to lack of pagination while loading license data</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/931 -->
<p>An issue has been discovered in GitLab EE affecting all versions from 15.11 prior to 16.2.2 which allows an attacker to spike the resource consumption by loading Dependency List page, resulting in a possible DoS. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is mitigated in the latest 16.2.2 release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4011">CVE-2023-4011</a>.</p>
<p>This vulnerability was discovered internally by GitLab team member <a href="https://gitlab.com/gonzoyumo">gonzoyumo</a>.</p>
<h2 id="leaking-emails-of-newly-created-users">Leaking emails of newly created users</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/927 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user's email via an error message for groups that restrict membership by email domain. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1210">CVE-2023-1210</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>Mattermost has been updated to version 7.10.4 in order to mitigate security issues.</p>
<h2 id="update-redis">Update Redis</h2>
<p>Redis has been updated to version 6.2.13 in order to mitigate security issues.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<p>This security release also includes the following non-security patches.</p>
<h3 id="1622">16.2.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127238" title="Merge branch '418983-fix-issue-type-update' into 'master'">Issue type change to incident results in 404</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127045" title="Enable descendant_security_scans by default">Enable <code>descendant_security_scans</code> by default</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127516" title="Disable IAT verification by default">Disable IAT verification by default</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127777" title="BitBucket Server Importer - Preserve PR (MR) reviewers">BitBucket Server Importer - Preserve PR (MR) reviewers</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7060" title="Toggle recommend_pg_upgrade to false for now">Toggle <code>recommend_pg_upgrade</code> to false for now</a></li>
</ul>
<h3 id="1613">16.1.3</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125261" title="Geo: Backport design repos verification bug fix">Geo: Backport design repos verification bug fix</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125316" title="Geo - Backport wiki repository verification fix">Geo - Backport wiki repository verification fix</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/126783" title="Fix FOUC when new sidebar enabled">Fix FOUC when new sidebar enabled</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127515" title="[16.1] Repair the trigger for Release Environments">Repair the trigger for Release Environments</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127517" title="Disable IAT verification by default">Disable IAT verification by default</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127402" title="Backport fix for pending direct uploads completion to 16.1">Backport fix for pending direct uploads completion to 16.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127778" title="BitBucket Server Importer - Preserve PR (MR) reviewers">BitBucket Server Importer - Preserve PR (MR) reviewers</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7050" title="Fix pg-upgrade failure on Geo secondary nodes [16.1]">Fix pg-upgrade failure on Geo secondary nodes [16.1]</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7034" title="Don't 500 when pages tries to serve a chunked file">Don't 500 when pages tries to serve a chunked file</a></li>
</ul>
<h3 id="1608">16.0.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127518" title="Disable IAT verification by default">Disable IAT verification by default</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7051" title="Fix pg-upgrade failure on Geo secondary nodes [16.0]">Fix pg-upgrade failure on Geo secondary nodes [16.0]</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.1.2, 16.0.7, and 15.11.11https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/2023-07-05T00:00:00+00:002023-07-05T00:00:00+00:00Greg Myers<p>Today we are releasing versions 16.1.2, 16.0.7, and 15.11.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab Enterprise Edition installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all GitLab EE installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#a-user-can-change-the-name-and-path-of-some-public-gitlab-groups">A user can change the name and path of some public GitLab groups</a></td>
<td>high</td>
</tr>
</tbody>
</table>
<h2 id="a-user-can-change-the-name-and-path-of-some-public-gitlab-groups">A user can change the name and path of some public GitLab groups</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/912 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H</code>, 8.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3484">CVE-2023-3484</a>.</p>
<p>Thanks <a href="https://hackerone.com/zeb0x01">zeb0x01</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<p>This security release also includes the following non-security patches.</p>
<h3 id="1612">16.1.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124818" title="Fix environments tab is empty after upgrading to 16.1">Fix environments tab is empty after upgrading to 16.1</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125074" title="Fix Bitbucket Cloud Importer: 16.1 backport">Fix Bitbucket Cloud Importer: 16.1 backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125111" title="Fix GitHub Importer: 16.1 Backport">Fix GitHub Importer: 16.1 Backport</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125116" title="Fix overlapping titles in wiki sidebar navigation">Fix overlapping titles in wiki sidebar navigation</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124613" title="Reset webpack path for Mermaid iFrames">Reset webpack path for Mermaid iFrames</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.1.1, 16.0.6, and 15.11.10https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/2023-06-29T00:00:00+00:002023-06-29T00:00:00+00:00Nikhil George<p>Today we are releasing versions 16.1.1, 16.0.6, and 15.11.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#redos-via-epicreferencefilter-in-any-markdown-fields">ReDoS via EpicReferenceFilter in any Markdown fields</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#new-commits-to-private-projects-visible-in-forks-created-while-project-was-public">New commits to private projects visible in forks created while project was public</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#code-owners-approvals-are-not-removed-allowing-merge-into-protected-branches">Code Owners approvals are not removed allowing merge into protected branches</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-masked-webhook-secrets-by-manipulating-url-masking">Maintainer can leak masked webhook secrets by manipulating URL masking</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#information-disclosure-of-project-import-errors">Information disclosure of project import errors</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#sensitive-information-disclosure-via-value-stream-analytics-controller">Sensitive information disclosure via value stream analytics controller</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#bypassing-code-owners-branch-protection-rule-in-gitlab">Bypassing Code Owners branch protection rule in GitLab</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#html-injection-in-email-address">HTML injection in email address</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#webhook-token-leaked-in-sidekiq-logs-if-log-format-is-default">Webhook token leaked in Sidekiq logs if log format is 'default'</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#private-email-address-of-service-desk-issue-creator-disclosed-via-issues-api">Private email address of service desk issue creator disclosed via issues API</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="redos-via-epicreferencefilter-in-any-markdown-fields">ReDoS via EpicReferenceFilter in any Markdown fields</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/902 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3424">CVE-2023-3424</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryhmnlfj">ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="new-commits-to-private-projects-visible-in-forks-created-while-project-was-public">New commits to private projects visible in forks created while project was public</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/905 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2190">CVE-2023-2190</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="code-owners-approvals-are-not-removed-allowing-merge-into-protected-branches">Code Owners approvals are not removed allowing merge into protected branches</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/907 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches due to a CODEOWNERS approval bug. This is a medium severity issue (<code>CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3444">CVE-2023-3444</a>.</p>
<p>Thanks <a href="https://hackerone.com/glan1k">glan1k</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-masked-webhook-secrets-by-manipulating-url-masking">Maintainer can leak masked webhook secrets by manipulating URL masking</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/908 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2620">CVE-2023-2620</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="information-disclosure-of-project-import-errors">Information disclosure of project import errors</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/903 -->
<p>An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3362">CVE-2023-3362</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/rodrigo.tomonari">Rodrigo Tomonari</a>.</p>
<h2 id="sensitive-information-disclosure-via-value-stream-analytics-controller">Sensitive information disclosure via value stream analytics controller</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/898 -->
<p>A sensitive information leak issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows access to titles of private issues and merge requests. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3102">CVE-2023-3102</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bypassing-code-owners-branch-protection-rule-in-gitlab">Bypassing Code Owners branch protection rule in GitLab</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/894 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2576">CVE-2023-2576</a>.</p>
<p>Thanks <a href="https://hackerone.com/inspector-ambitious">inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="html-injection-in-email-address">HTML injection in email address</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/900 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N</code>, 4.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2200">CVE-2023-2200</a>.</p>
<p>Thanks <a href="https://hackerone.com/cryptopone">cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="webhook-token-leaked-in-sidekiq-logs-if-log-format-is-default">Webhook token leaked in Sidekiq logs if log format is 'default'</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/904 -->
<p>An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to <code>default</code>. This is a low severity issue (<code>CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 3.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3363">CVE-2023-3363</a>.</p>
<p>This vulnerability was reported by Martin Vaisset from MyMoneyBank.</p>
<h2 id="private-email-address-of-service-desk-issue-creator-disclosed-via-issues-api">Private email address of service desk issue creator disclosed via issues API</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/897 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to leak the email address of a user who created a service desk issue. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1936">CVE-2023-1936</a>.</p>
<p>Thanks <a href="https://hackerone.com/ricardobrito">ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>Mattermost has been updated to version 7.10.2 in GitLab 16.0.6 and version 7.9.4 in GitLab 15.11.10 in order to mitigate security issues.</p>
<h2 id="update-xmlsoftlibxml2-to-version-2104">Update xmlsoft/libxml2 to version 2.10.4</h2>
<p>xmlsoft/libxml2 has been updated to version 2.10.4 in order to mitigate security issues.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/2023-06-05T00:00:00+00:002023-06-05T00:00:00+00:00Rohit Shambhuni<p>Today we are releasing versions 16.0.2, 15.11.7, and 15.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-with-csp-bypass-in-merge-requests">Stored-XSS with CSP-bypass in Merge requests</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#redos-via-frontmatterfilter-in-any-markdown-fields">ReDoS via FrontMatterFilter in any Markdown fields</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#redos-via-inlinedifffilter-in-any-markdown-fields">ReDoS via InlineDiffFilter in any Markdown fields</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#redos-via-dollarmathpostfilter-in-markdown-fields">ReDoS via DollarMathPostFilter in Markdown fields</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#dos-via-malicious-test-report-artifacts">DoS via malicious test report artifacts</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#restricted-ip-addresses-can-clone-repositories-of-public-projects">Restricted IP addresses can clone repositories of public projects</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#reflected-xss-in-report-abuse-functionality">Reflected XSS in Report Abuse Functionality</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#privilege-escalation-from-maintainer-to-owner-by-importing-members-from-a-project">Privilege escalation from maintainer to owner by importing members from a project</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#bypassing-tags-protection-in-gitlab">Bypassing tags protection in GitLab</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-using-multiple-labels-with-arbitrarily-large-descriptions">Denial of Service using multiple labels with arbitrarily large descriptions</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#ability-to-use-an-unverified-email-for-public-and-commit-emails">Ability to use an unverified email for public and commit emails</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#open-redirection-through-http-response-splitting">Open Redirection Through HTTP Response Splitting</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#disclosure-of-issue-notes-to-an-unauthorized-user-when-exporting-a-project">Disclosure of issue notes to an unauthorized user when exporting a project</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#ambiguous-branch-name-exploitation">Ambiguous branch name exploitation</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="stored-xss-with-csp-bypass-in-merge-requests">Stored-XSS with CSP-bypass in Merge requests</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/893 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2442">CVE-2023-2442</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="redos-via-frontmatterfilter-in-any-markdown-fields">ReDoS via FrontMatterFilter in any Markdown fields</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/888 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2199">CVE-2023-2199</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryhmnlfj">ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="redos-via-inlinedifffilter-in-any-markdown-fields">ReDoS via InlineDiffFilter in any Markdown fields</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/887 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2198">CVE-2023-2198</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryhmnlfj">ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="redos-via-dollarmathpostfilter-in-markdown-fields">ReDoS via DollarMathPostFilter in Markdown fields</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/881 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2132">CVE-2023-2132</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryhmnlfj">ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="dos-via-malicious-test-report-artifacts">DoS via malicious test report artifacts</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/850 -->
<p>A denial of service issue was discovered in GitLab CE/EE affecting all versions starting from 13.2.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2 which allows an attacker to cause high resource consumption using malicious test report artifacts. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0121">CVE-2023-0121</a>.</p>
<p>Thanks <a href="https://hackerone.com/luryus">luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="restricted-ip-addresses-can-clone-repositories-of-public-projects">Restricted IP addresses can clone repositories of public projects</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/889 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2589">CVE-2023-2589</a>.</p>
<p>Thanks <a href="https://hackerone.com/ali_shehab">ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="reflected-xss-in-report-abuse-functionality">Reflected XSS in Report Abuse Functionality</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/875 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2015">CVE-2023-2015</a>.</p>
<p>Thanks <a href="https://hackerone.com/akadrian">akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="privilege-escalation-from-maintainer-to-owner-by-importing-members-from-a-project">Privilege escalation from maintainer to owner by importing members from a project</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/892 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2485">CVE-2023-2485</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bypassing-tags-protection-in-gitlab">Bypassing tags protection in GitLab</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/890 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2001">CVE-2023-2001</a>.</p>
<p>Thanks <a href="https://hackerone.com/inspector-ambitious">inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="denial-of-service-using-multiple-labels-with-arbitrarily-large-descriptions">Denial of Service using multiple labels with arbitrarily large descriptions</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/880 -->
<p>A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0921">CVE-2023-0921</a>.</p>
<p>Thanks <a href="https://hackerone.com/cryptopone">cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="ability-to-use-an-unverified-email-for-public-and-commit-emails">Ability to use an unverified email for public and commit emails</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/867 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1204">CVE-2023-1204</a>.</p>
<p>Thanks <a href="https://hackerone.com/theluci">theluci</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h2 id="open-redirection-through-http-response-splitting">Open Redirection Through HTTP Response Splitting</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/885 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0508">CVE-2023-0508</a>.</p>
<p>Thanks <a href="https://hackerone.com/akadrian">akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="disclosure-of-issue-notes-to-an-unauthorized-user-when-exporting-a-project">Disclosure of issue notes to an unauthorized user when exporting a project</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/854 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1825">CVE-2023-1825</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member.</p>
<h2 id="ambiguous-branch-name-exploitation">Ambiguous branch name exploitation</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/886 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2013">CVE-2023-2013</a>.</p>
<p>Thanks <a href="https://hackerone.com/inspector-ambitious">inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>Mattermost has been updated to version 7.9.3 in order to mitigate security issues.</p>
<h2 id="update-ncurses">Update Ncurses</h2>
<p>Ncurses has been updated to version 6.4-20230225 in order to mitigate security issues.</p>
<h2 id="update-postgresql">Update PostgreSQL</h2>
<p>PostgreSQL has been updated to versions 12.14 and 13.11 in order to mitigate security issues.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<p>This security release also includes the following non-security patches.</p>
<h3 id="1602">16.0.2</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121518">Update the upgrade path for 15.11 and 16.x</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121470">Introduce parallelised BitBucket Server Importer</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121872">Fix Sidekiq crash when gitlab.yml contains UTF-8 characters</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121745">Revert "Remove legacy project routes"</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121843">Merge branch '344594-fix-migration' into '16-0-stable-ee'</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121606">Do not run notify-package-and-test-failure on sec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121894">Add task to fix migrations for 15.11 upgrades (16.0 Stable)</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/122345">Do not requeue the indexing worker if failures occur</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6918">Stop supporting and using deprecated Gitaly configuration</a></li>
</ul>
<h3 id="15117">15.11.7</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5868">Backport 'Remove uncessary fields from pack-objects cache key computation' to 15.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121608">Do not run notify-package-and-test-failure on sec</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121895">Add task to fix migrations for 15.11 upgrades (15.11 Stable)</a></li>
</ul>
<h3 id="15108">15.10.8</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1397">Update redis-namespace dependency in MailRoom</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1406">Skip weak dependencies during install on UBI</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1404">Fix restore with azcopy</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120163">Backport 'fix-container-replication' into 15.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121305">Convert some regex to use Gitlab::UntrustedRegexp</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121609">Do not run notify-package-and-test-failure on sec</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6887">Add SMTP timeout configuration options</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6877">Validate that SMTP settings do not enable both TLS and STARTTLS</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 16.0.1https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/2023-05-23T00:00:00+00:002023-05-23T00:00:00+00:00Rohit Shambhuni<p>Today we are releasing version 16.0.1 for GitLab Community Edition (CE) and Enterprise Edition (EE). It is only required for installations running 16.0.0. Earlier versions are not affected.</p>
<p>This version contains important security fixes, and we strongly recommend that GitLab installations running 16.0.0 be upgraded immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#arbitrary-file-read-via-uploads-path-traversal">Arbitrary file read via uploads path traversal</a></td>
<td>critical</td>
</tr>
</tbody>
</table>
<h2 id="arbitrary-file-read-via-uploads-path-traversal">Arbitrary file read via uploads path traversal</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/891 -->
<p>An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read
arbitrary files on the server when an attachment exists in a public project nested within at least five groups. This is a critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N</code>, 10.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2825">CVE-2023-2825</a>.</p>
<p>Thanks <a href="https://hackerone.com/pwnie">pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Coordinated Security Release: 15.11.3, 15.10.7, 15.9.8https://about.gitlab.com/releases/2023/05/10/security-release-gitlab-15-11-3-released/2023-05-10T00:00:00+00:002023-05-10T00:00:00+00:00Nick Malcolm<p>Today we are releasing versions 15.11.3, 15.10.7, 15.9.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). This is a coordinated security release, aligning with a disclosure date provided by Git.</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are three types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), ad-hoc security releases for critical vulnerabilities, as well as coordinated security releases. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#smuggling-code-changes-via-merge-requests-with-refs-replace">Smuggling code changes via merge requests with refs/replace</a></td>
<td>Medium</td>
</tr>
</tbody>
</table>
<h2 id="smuggling-code-changes-via-merge-requests-with-refsreplace">Smuggling code changes via merge requests with refs/replace</h2>
<!-- https://gitlab.com/gitlab-org/security/gitaly/-/issues/11 -->
<p>An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N</code>, 6.3 Medium). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2181">CVE-2023-2181</a>.</p>
<p>Thanks <a href="https://hackerone.com/inspector-ambitious">inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="non-security-patches">Non-security patches</h2>
<p>This security release also includes the following non-security patches.</p>
<p>Into 15.11.3:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119164">Restrict bigint cleanup migrations to GitLab.com only</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119520">Revert migration squash that breaks 15.11</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119742">[15.11] ci: Fix omnibus trigger target branch for MR targeting stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119456">Fix custom template import permission</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119374">[15.11] Fix for the rebase merge request state being shown incorrectly</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119299">Back with UNSTRUCTURED_RAILS_LOG environment variable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120028">Fix issue description keeping autosave after save</a></li>
</ul>
<p>Into 15.10.7:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119744">[15.10] ci: Fix omnibus trigger target branch for MR targeting stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119452">Fix custom template import permission</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119376">[15.10] Fix for the rebase merge request state being shown incorrectly</a></li>
</ul>
<p>Into 15.9.8:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119746">[15.9] ci: Fix omnibus trigger target branch for MR targeting stable branches</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119377">[15.9] Fix for the rebase merge request state being shown incorrectly</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 15.11.2, 15.10.6, and 15.9.7https://about.gitlab.com/releases/2023/05/05/critical-security-release-gitlab-15-11-2-released/2023-05-05T00:00:00+00:002023-05-05T00:00:00+00:00Rohit Shambhuni<p>Today we are releasing versions 15.11.2, 15.10.6, and 15.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#malicious-runner-attachment-via-graphql">Malicious Runner Attachment via GraphQL</a></td>
<td>critical</td>
</tr>
</tbody>
</table>
<h2 id="malicious-runner-attachment-via-graphql">Malicious Runner Attachment via GraphQL</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/884 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, any GitLab user account on the instance may use a GraphQL endpoint to attach a malicious runner to any project on the instance. This is a critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2478">CVE-2023-2478</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<p>This security release also includes the following non-security patches.</p>
<h3 id="15106">15.10.6</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118703">Backport IP enforcement FF to 15.10</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6824">Bundle libarchive in the package</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.11.1, 15.10.5, and 15.9.6https://about.gitlab.com/releases/2023/05/02/security-release-gitlab-15-11-1-released/2023-05-02T00:00:00+00:002023-05-02T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 15.11.1, 15.10.5, and 15.9.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#privilege-escalation-for-external-users-when-oidc-is-enabled-under-certain-conditions">Privilege escalation for external users when OIDC is enabled under certain conditions</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#account-takeover-through-open-redirect-for-group-saml-accounts">Account takeover through open redirect for Group SAML accounts</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#users-on-banned-ip-addresses-can-still-commit-to-projects">Users on banned IP addresses can still commit to projects</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#user-with-developer-role-group-can-modify-protected-branches-setting-on-imported-project-and-leak-group-cicd-variables">User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#the-gitlab-web-interface-does-not-guarantee-file-integrity-when-downloading-source-code-or-installation-packages-from-a-tag-or-from-a-release">The GitLab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#banned-group-member-continues-to-have-access-to-the-public-projects-of-a-public-group-with-the-access-level-as-same-as-before-the-ban">Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#the-main-branch-of-a-repository-with-a-specially-designed-name-allows-an-attacker-to-create-repositories-with-malicious-code">The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#xss-and-content-injection-and-iframe-injection-when-viewing-raw-files-under-specific-circumstances">XSS and content injection and iframe injection when viewing raw files under specific circumstances</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#authenticated-users-can-find-other-users-by-their-private-email">Authenticated users can find other users by their private email</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="privilege-escalation-for-external-users-when-oidc-is-enabled-under-certain-conditions">Privilege escalation for external users when OIDC is enabled under certain conditions</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/871 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions when OpenID Connect is enabled on an instance, it may allow users who are marked as 'external' to become 'regular' users thus leading to privilege escalation for those users. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2182">CVE-2023-2182</a>.</p>
<p>This vulnerability was reported to us by a customer.</p>
<h2 id="account-takeover-through-open-redirect-for-group-saml-accounts">Account takeover through open redirect for Group SAML accounts</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/876 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1965">CVE-2023-1965</a>.</p>
<p>If you are seeing an unexpected redirect after sign in through SAML, ensure the <a href="https://docs.gitlab.com/ee/integration/saml.html#additional-configuration-for-saml-apps-on-your-idp"><code>RelayState</code> setting</a> on the identity provider side is set to a valid URL.</p>
<p>Thanks <a href="https://hackerone.com/bull">bull</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="users-on-banned-ip-addresses-can-still-commit-to-projects">Users on banned IP addresses can still commit to projects</h2>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to commit to projects even from a restricted IP address. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1621">CVE-2023-1621</a>.</p>
<h2 id="user-with-developer-role-group-can-modify-protected-branches-setting-on-imported-project-and-leak-group-cicd-variables">User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2069">CVE-2023-2069</a>.</p>
<p>Thanks <a href="https://hackerone.com/js_noob">js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<p>Fix for this issue was to <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/387891">restrict imports to users with Maintainer and above role</a>. That however affected usage of <a href="https://docs.gitlab.com/ee/user/project/index.html#create-a-project-from-a-custom-template">custom project templates, on group and instance levels</a> as well, and Developers are no longer able to create projects from custom templates. We are working on the fix, that will allow users with Developer role to create projects from templates again, and will release a patch with this fix to GitLab versions 15.11.1, 15.10.5.</p>
<h2 id="the-gitlab-web-interface-does-not-guarantee-file-integrity-when-downloading-source-code-or-installation-packages-from-a-tag-or-from-a-release">The GitLab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/877 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1178">CVE-2023-1178</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="banned-group-member-continues-to-have-access-to-the-public-projects-of-a-public-group-with-the-access-level-as-same-as-before-the-ban">Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/868 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 15.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to have access to the public projects of a public group even after being banned from the public group by the owner. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0805">CVE-2023-0805</a>.</p>
<p>Thanks <a href="https://hackerone.com/albatraoz">albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="the-main-branch-of-a-repository-with-a-specially-designed-name-allows-an-attacker-to-create-repositories-with-malicious-code">The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/873 -->
<p>An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0756">CVE-2023-0756</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="xss-and-content-injection-and-iframe-injection-when-viewing-raw-files-under-specific-circumstances">XSS and content injection and iframe injection when viewing raw files under specific circumstances</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/869 -->
<p>A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed under specific circumstances. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1836">CVE-2023-1836</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="authenticated-users-can-find-other-users-by-their-private-email">Authenticated users can find other users by their private email</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/878 -->
<p>An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions, an attacker may be able to map a private email of a GitLab user to their GitLab account on an instance. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4376">CVE-2022-4376</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>Mattermost has been updated to versions 7.9.1 and 7.9.2 in order to mitigate security issues.</p>
<h2 id="patch-openssl">Patch OpenSSL</h2>
<p>A patch has been applied to mitigate CVE-2023-0464 in GitLab Omnibus.</p>
<h2 id="patch-grafana">Patch Grafana</h2>
<p>A patch has been applied to mitigate CVE-2023-1410 in GitLab Omnibus.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<p>This security release also includes the following non-security patches.</p>
<h3 id="15111">15.11.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118637">15.11: Fix Web IDE Beta icons not loading in Safari</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118956">Move approved filter behind <code>mr_approved_filter</code> feature flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118849">Fix search cron worker when indexing is disabled</a></li>
</ul>
<h3 id="15105">15.10.5</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118219">Use proxied_site for geo proxied clone urls</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.10.1, 15.9.4, and 15.8.5https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/2023-03-30T00:00:00+00:002023-03-30T00:00:00+00:00Greg Alfaro<p>Today we are releasing versions 15.10.1, 15.9.4, and 15.8.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#cross-site-scripting-in-maximum-page-reached-page">Cross-site scripting in "Maximum page reached" page</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#private-project-guests-can-read-new-changes-using-a-fork">Private project guests can read new changes using a fork</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#mirror-repository-error-reveals-password-in-settings-ui">Mirror repository error reveals password in Settings UI</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#dos-and-high-resource-consumption-of-prometheus-server-through-abuse-of-prometheus-integration-proxy-endpoint">DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthenticated-users-can-view-environment-names-from-public-projects-limited-to-project-members-only">Unauthenticated users can view Environment names from public projects limited to project members only</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#copying-information-to-the-clipboard-could-lead-to-the-execution-of-unexpected-commands">Copying information to the clipboard could lead to the execution of unexpected commands</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-masked-webhook-secrets-by-adding-a-new-parameter-to-the-webhook-url">Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#arbitrary-html-injection-possible-when-soft_email_confirmation-feature-flag-is-enabled-in-the-latest-release">Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#framing-of-arbitrary-content-leading-to-open-redirects-on-any-page-allowing-user-controlled-markdown">Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#mr-for-security-reports-are-available-to-everyone">MR for security reports are available to everyone</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#api-timeout-when-searching-for-group-issues">API timeout when searching for group issues</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthorised-user-can-add-child-epics-linked-to-victims-epic-in-an-unrelated-group">Unauthorised user can add child epics linked to victim's epic in an unrelated group</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#gitlab-search-allows-to-leak-internal-notes">GitLab search allows to leak internal notes</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#ambiguous-branch-name-exploitation-in-gitlab">Ambiguous branch name exploitation in GitLab</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#improper-permissions-checks-for-moving-an-issue">Improper permissions checks for moving an issue</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#private-project-branches-names-can-be-leaked-through-a-fork">Private project branches names can be leaked through a fork</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="cross-site-scripting-in-maximum-page-reached-page">Cross-site scripting in "Maximum page reached" page</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/849 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 6.1)). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3513">CVE-2022-3513</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryotak">ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="private-project-guests-can-read-new-changes-using-a-fork">Private project guests can read new changes using a fork</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/838 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role could read project updates by doing a diff with a pre-existing fork. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0485">CVE-2023-0485</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="mirror-repository-error-reveals-password-in-settings-ui">Mirror repository error reveals password in Settings UI</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/834 -->
<p>An information disclosure vulnerability has been discovered in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 will allow an admin to leak password from repository mirror configuration. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N</code>, 5.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1098">CVE-2023-1098</a>.</p>
<p>Thanks <a href="https://hackerone.com/tennox_">tennox_</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="dos-and-high-resource-consumption-of-prometheus-server-through-abuse-of-prometheus-integration-proxy-endpoint">DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/861 -->
<p>A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L</code>, 5.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1733">CVE-2023-1733</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthenticated-users-can-view-environment-names-from-public-projects-limited-to-project-members-only">Unauthenticated users can view Environment names from public projects limited to project members only</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/837 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing reading of environment names supposed to be restricted to project members only. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N</code>, 5.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0319">CVE-2023-0319</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="copying-information-to-the-clipboard-could-lead-to-the-execution-of-unexpected-commands">Copying information to the clipboard could lead to the execution of unexpected commands</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/858 -->
<p>An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters are copied from clipboard, allowing unexpected commands to be executed on the victim machine. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1708">CVE-2023-1708</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-masked-webhook-secrets-by-adding-a-new-parameter-to-the-webhook-url">Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/856 -->
<p>An issue has been discovered in GitLab affecting versions starting from 15.1 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. A maintainer could modify a webhook URL to leak masked webhook secrets by adding a new parameter to the url. This addresses an incomplete fix for CVE-2022-4342. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0838">CVE-2023-0838</a>.</p>
<p>Thanks <a href="https://hackerone.com/0xn3va">0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="arbitrary-html-injection-possible-when-soft_email_confirmation-feature-flag-is-enabled-in-the-latest-release">Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/840 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. On certain instances, a stored XSS was possible via a malicious email address, which only affected the admins when they tried to impersonate the account with the malicious payload. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0523">CVE-2023-0523</a>.</p>
<p>Thanks <a href="https://hackerone.com/cryptopone">cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="framing-of-arbitrary-content-leading-to-open-redirects-on-any-page-allowing-user-controlled-markdown">Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from all versions starting from 15.7 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to iframe arbitrary origins in the browser via specially crafted markdown on any page. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0155">CVE-2023-0155</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="mr-for-security-reports-are-available-to-everyone">MR for security reports are available to everyone</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/845 -->
<p>Improper authorization in GitLab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in merge requests. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1167">CVE-2023-1167</a>.</p>
<p>This vulnerability has been discovered internally by GitLab team member <a href="https://gitlab.com/minac">@minac</a>.</p>
<h2 id="api-timeout-when-searching-for-group-issues">API timeout when searching for group issues</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/851 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A search timeout could be triggered if a specific HTML payload was used in the issue description. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1787">CVE-2023-1787</a>.</p>
<p>This vulnerability has been discovered internally by a GitLab team member.</p>
<h2 id="unauthorised-user-can-add-child-epics-linked-to-victims-epic-in-an-unrelated-group">Unauthorised user can add child epics linked to victim's epic in an unrelated group</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/857 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to a victim's epic in an unrelated group. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1417">CVE-2023-1417</a>.</p>
<p>Thanks <a href="https://hackerone.com/cryptopone">cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="gitlab-search-allows-to-leak-internal-notes">GitLab search allows to leak internal notes</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/852 -->
<p>A sensitive information disclosure vulnerability in GitLab affecting all versions from 15.0 prior to 15.8.5, 15.9 prior to 15.9.4 and 15.10 prior to 15.10.1 allows an attacker to view the count of internal notes for a given issue. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1710">CVE-2023-1710</a></p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="ambiguous-branch-name-exploitation-in-gitlab">Ambiguous branch name exploitation in GitLab</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/846 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 8.1 to 15.8.5, and from 15.9 to 15.9.4, and from 15.10 to 15.10.1. It was possible to add a branch with an ambiguous name that could be used to social engineer users. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0450">CVE-2023-0450</a>.</p>
<p>Thanks <a href="https://hackerone.com/inspector-ambitious">inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="improper-permissions-checks-for-moving-an-issue">Improper permissions checks for moving an issue</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/835 -->
<p>An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1071">CVE-2023-1071</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="private-project-branches-names-can-be-leaked-through-a-fork">Private project branches names can be leaked through a fork</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/826 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when an attacker has a fork of a project that was switched to private. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3375">CVE-2022-3375</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<!-- https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/issues/84 -->
<p>Mattermost has been updated to versions 7.7.3 and 7.8.2 in order to mitigate security issues.</p>
<h2 id="update-curl">Update curl</h2>
<!-- https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/issues/82 -->
<p>Curl has been updated to version 8.0.1 in order to mitigate security issues.</p>
<h2 id="update-redis">Update redis</h2>
<!-- https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/issues/83 -->
<p>Redis has been updated to version 6.2.11 in order to mitigate security issues.</p>
<h2 id="update-openssl">Update OpenSSL</h2>
<!-- https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/issues/81 -->
<p>OpenSSL has been updated to version 'OpenSSL_1_1_1t' in order to mitigate security issues.</p>
<h2 id="non-security-patches">Non Security Patches</h2>
<p>This security release also includes the following non-security patches.</p>
<h3 id="into-15101">Into 15.10.1</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1347">Cherry pick "Use the ubi packaged libedit-devel" to 15-10-stable</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115465">Don't autofocus comment field with content editor</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115579">Sync security policy rule schedules that may have been deleted by bug</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115668">Fix issue dashboard returning issues from archived projects</a></li>
</ul>
<h3 id="into-1594">Into 15.9.4</h3>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114287">Resolve "Duplicate todo is created for already mentioned user"</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.9.2, 15.8.4, and 15.7.8https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released/2023-03-02T00:00:00+00:002023-03-02T00:00:00+00:00Greg Myers<p>Today we are releasing versions 15.9.2, 15.8.4, and 15.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=created_date&state=closed&label_name%5B%5D=bug%3A%3Avulnerability&confidential=no&first_page_size=100">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-via-kroki-diagram">Stored XSS via Kroki diagram</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#prometheus-integration-google-iap-details-are-not-hidden-may-leak-account-details-from-instancegroupproject-settings">Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-validation-of-sso-and-scim-tokens-while-managing-groups">Improper validation of SSO and SCIM tokens while managing groups</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-datadog-api-key-by-changing-datadog-site">Maintainer can leak Datadog API key by changing Datadog site</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#clipboard-based-xss-in-the-title-field-of-work-items">Clipboard based XSS in the title field of work items</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-user-right-checks-for-personal-snippets">Improper user right checks for personal snippets</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#release-description-visible-in-public-projects-despite-release-set-as-project-members-only">Release Description visible in public projects despite release set as project members only</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#group-integration-settings-sensitive-information-exposed-to-project-maintainers">Group integration settings sensitive information exposed to project maintainers</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improve-pagination-limits-for-commits">Improve pagination limits for commits</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#gitlab-open-redirect-vulnerability">Gitlab Open Redirect Vulnerability</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-may-become-an-owner-of-a-project">Maintainer may become an Owner of a project</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="stored-xss-via-kroki-diagram">Stored XSS via Kroki diagram</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/833 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0050">CVE-2023-0050</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="prometheus-integration-google-iap-details-are-not-hidden-may-leak-account-details-from-instancegroupproject-settings">Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/844 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4289">CVE-2022-4289</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="improper-validation-of-sso-and-scim-tokens-while-managing-groups">Improper validation of SSO and SCIM tokens while managing groups</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/819 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4331">CVE-2022-4331</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-datadog-api-key-by-changing-datadog-site">Maintainer can leak Datadog API key by changing Datadog site</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/843 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible for a project maintainer to extract a Datadog integration API key by modifying the site. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0483">CVE-2023-0483</a>.</p>
<p>Thanks <a href="https://hackerone.com/akadrian">akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="clipboard-based-xss-in-the-title-field-of-work-items">Clipboard based XSS in the title field of work items</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/836 -->
<p>A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4007">CVE-2022-4007</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryotak">ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="improper-user-right-checks-for-personal-snippets">Improper user right checks for personal snippets</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/816 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3758">CVE-2022-3758</a>.</p>
<p>Thanks <a href="https://hackerone.com/cryptopone">cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="release-description-visible-in-public-projects-despite-release-set-as-project-members-only">Release Description visible in public projects despite release set as project members only</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/832 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0223">CVE-2023-0223</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="group-integration-settings-sensitive-information-exposed-to-project-maintainers">Group integration settings sensitive information exposed to project maintainers</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/842 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4462">CVE-2022-4462</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="improve-pagination-limits-for-commits">Improve pagination limits for commits</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/839 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1072">CVE-2023-1072</a>.</p>
<p>Thanks <a href="https://gitlab.com/nico28">Nico Jones</a> for reporting this vulnerability.</p>
<h2 id="gitlab-open-redirect-vulnerability">Gitlab Open Redirect Vulnerability</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/836 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3381">CVE-2022-3381</a>.</p>
<p>Thanks <a href="https://hackerone.com/burpheart">burpheart</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-may-become-an-owner-of-a-project">Maintainer may become an Owner of a project</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/841 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1084">CVE-2023-1084</a>.</p>
<p>Thanks <a href="https://hackerone.com/shubham_sohi,">@shubham_sohi</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-libksba">Update <code>libksba</code></h2>
<p><code>libksba</code> and <code>libksba_project</code> have been updated to version 1.6.3 to mitigate potential security issues.</p>
<h2 id="update-gnupg">Update <code>gnupg</code></h2>
<p><code>gnupg</code> has been updated to 2.2.41 to mitigate potential security issues.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/2023-02-14T00:00:00+00:002023-02-14T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 15.8.2, 15.7.7, and 15.6.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com and GitLab Dedicated are already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#security-issues-in-git">Security issues in Git</a></td>
<td>Critical</td>
</tr>
</tbody>
</table>
<h2 id="security-issues-in-git">Security issues in Git</h2>
<p>This release addresses the security issues <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-23946">CVE-2023-23946</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22490">CVE-2023-22490</a> in <a href="https://git-scm.com/">Git</a>.</p>
<p>These vulnerabilities affect all previous versions of GitLab.</p>
<p>The details of these vulnerabilities are as follows:</p>
<h3 id="cve-2023-23946">CVE-2023-23946</h3>
<p>A user can feed a specially crafted input to <code>git apply</code> to overwrite a path outside the working tree.</p>
<p>This can be used to execute arbitrary commands in GitLab installations within GitLab's Gitaly environment.</p>
<p>Credit for finding CVE-2023-23946 goes to Joern Schneeweisz of GitLab.</p>
<h3 id="cve-2023-22490">CVE-2023-22490</h3>
<p>Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link.</p>
<p>These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.</p>
<p>Credit for finding CVE-2023-22490 goes to yvvdwf.</p>
<h2 id="update-python">Update Python</h2>
<p>Python has been updated to version 3.9.16 in order to mitigate security issues.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all GitLab Omnibus versions from 14.1 to 15.6.7, all 15.7 versions before 15.7.7, and all 15.8 versions before 15.8.2.</p>
<h2 id="non-security-patches">Non-security patches</h2>
<p>This security release also includes the following non-security patches.</p>
<p>Into 15.8.2:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/110651">Fix false positives for approved by insufficient users violation</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111527">gitaly: Remove readiness check</a></li>
</ul>
<p>Into 15.7.7:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111585">GitLab Version Check - Add feature flag</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111527">gitaly: Remove readiness check</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.8.1, 15.7.6, and 15.6.7https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/2023-01-31T00:00:00+00:002023-01-31T00:00:00+00:00Nick Malcolm<p>Today we are releasing versions 15.8.1, 15.7.6, and 15.6.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#denial-of-service-via-arbitrarily-large-issue-descriptions">Denial of Service via arbitrarily large Issue descriptions</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#csrf-via-file-upload-allows-an-attacker-to-take-over-a-repository">CSRF via file upload allows an attacker to take over a repository.</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#sidekiq-background-job-dos-by-uploading-malicious-ci-job-artifact-zips">Sidekiq background job DoS by uploading malicious CI job artifact zips</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#sidekiq-background-job-dos-by-uploading-a-malicious-helm-package">Sidekiq background job DoS by uploading a malicious Helm package</a></td>
<td>medium</td>
</tr>
</tbody>
</table>
<h2 id="denial-of-service-via-arbitrarily-large-issue-descriptions">Denial of Service via arbitrarily large Issue descriptions</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/817 -->
<p>A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3411">CVE-2022-3411</a>.</p>
<p>Thanks <a href="https://hackerone.com/cryptopone">cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="csrf-via-file-upload-allows-an-attacker-to-take-over-a-repository">CSRF via file upload allows an attacker to take over a repository.</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/820 -->
<p>A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4138">CVE-2022-4138</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> and <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="sidekiq-background-job-dos-by-uploading-malicious-ci-job-artifact-zips">Sidekiq background job DoS by uploading malicious CI job artifact zips</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/810 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3759">CVE-2022-3759</a>.</p>
<p>Thanks <a href="https://hackerone.com/luryus">luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="sidekiq-background-job-dos-by-uploading-a-malicious-helm-package">Sidekiq background job DoS by uploading a malicious Helm package</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/818 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0518">CVE-2023-0518</a>.</p>
<p>Thanks <a href="https://hackerone.com/luryus">luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<!-- https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/issues/79 -->
<p>Mattermost has been updated to versions 7.5.2, 7.4.1, and 7.1.5 in order to mitigate security issues.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects versions 15.6 and 15.7 of GitLab Omnibus. GitLab 15.8 already included Mattermost 7.5.2.</p>
<h2 id="non-security-patches">Non-security patches</h2>
<p>This security release also includes the following non-security patches.</p>
<p>Into 15.6.7:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1233">Ensure Workhorse is built with FIPS for CNG</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1252">Grab gitlab-logger archives from the new project location</a></li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6575">Ensure Workhorse is built in FIPS mode for Omnibus</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106592">Doc: FIPS, update omnibus language</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106986">Only refresh indexes that exist</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109098">Clear DuplicateJobs cookies from post-deployment migration</a></li>
<li><a href="https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1273">Upgrade GitLab logger to v2.3.0</a></li>
</ul>
<p>Into 15.7.6:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109690">Geo - Remove parameter validation for registry notification request</a></li>
</ul>
<p>Into 15.8.1:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6644">Fix command in print-release-contents job</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109991">Fix resource_parent in FOSS instances</a></li>
<li><a href="https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109690">Geo - Remove parameter validation for registry notification request</a></li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 15.7.5, 15.6.6, and 15.5.9https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released/2023-01-17T00:00:00+00:002023-01-17T00:00:00+00:00Nick Malcolm<p>Today we are releasing versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com and GitLab Dedicated are already running the patched version.</p>
<p>UPDATE (2023-01-20): In addition, we have released GitLab Runner versions 15.8.0, 15.7.3, 15.6.3, and 15.5.2. These images contain updates to the <a href="https://docs.gitlab.com/runner/configuration/advanced-configuration.html#helper-image">Docker helper images</a> to address the Git vulnerabilities.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#critical-security-issues-in-git">Critical security issues in Git</a></td>
<td>Critical</td>
</tr>
</tbody>
</table>
<h2 id="critical-security-issues-in-git">Critical security issues in Git</h2>
<p>This release addresses the security issues <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-41903">CVE-2022-41903</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23521">CVE-2022-23521</a> in <a href="https://git-scm.com/">Git</a>.</p>
<p>These vulnerabilities affect all previous versions of GitLab.</p>
<p>The details of these vulnerabilities are as follows:</p>
<h3 id="cve-2022-41903">CVE-2022-41903</h3>
<p>The <code>git-log</code> command has the ability to display commits using an arbitrary format with its <code>--format</code> specifiers. This functionality is also exposed to <code>git-archive</code> via the <code>export-subst</code> gitattribute.</p>
<p>When processing the padding operators (e.g., <code>%<(</code>, <code>%<|(</code>, <code>%>(</code>, <code>%>>(</code>, or <code>%><( )</code>, an integer overflow can occur in <code>pretty.c::format_and_pad_commit()</code> where a <code>size_t</code> is improperly stored as an <code>int</code>, and then added as an offset to a subsequent <code>memcpy()</code> call.</p>
<p>This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., <code>git log --format=...</code>). It may also be triggered indirectly through <code>git-archive</code> via the <code>export-subst</code> mechanism, which expands format specifiers inside of files within the repository during a git archive.</p>
<p>This integer overflow can result in arbitrary heap writes, which may result in remote code execution.</p>
<p>Credit for finding CVE-2022-41903 goes to Joern Schneeweisz of GitLab.</p>
<h3 id="cve-2022-23521">CVE-2022-23521</h3>
<p>gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a <code>.gitattributes</code> file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern.</p>
<p>When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge.</p>
<p>These overflows can be triggered via a crafted <code>.gitattributes</code> file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both.</p>
<p>This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.</p>
<p>Credit for finding CVE-2022-23521 goes to Markus Vervier and Eric Sesterhenn of X41 D-Sec.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<p>Note: GitLab releases have skipped 15.7.4, 15.6.5, and 15.5.8. There are no patches with these version numbers.</p>
<p>To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.
These security releases update Git on the helper images, which are used
by the Docker and Kubernetes executors. If you are using a shell
executor, you will need to update Git on your operating system.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.7.2, 15.6.4, and 15.5.7https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released/2023-01-09T00:00:00+00:002023-01-09T00:00:00+00:00Kevin Morrison<p>Today we are releasing versions 15.7.2, 15.6.4, and 15.5.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#race-condition-on-gitlabcom-enables-verified-email-forgery--third-party-account-hijacking">Race condition on gitlab.com enables verified email forgery & third-party account hijacking</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#dos-and-high-resource-consumption-of-prometheus-server-through-abuse-of-grafana-integration-proxy-endpoint">DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-sentry-token-by-changing-the-configured-url">Maintainer can leak sentry token by changing the configured URL</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-masked-webhook-secrets-by-changing-target-url-of-the-webhook">Maintainer can leak masked webhook secrets by changing target URL of the webhook</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#cross-site-scripting-in-wiki-changes-page-affecting-self-hosted-instances-running-without-strict-csp">Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#group-access-tokens-continue-to-work-after-owner-loses-ability-to-revoke-them">Group access tokens continue to work after owner loses ability to revoke them</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#users-avatar-disclosure-by-user-id-in-private-gitlab-instances">Users' avatar disclosure by user ID in private GitLab instances</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#arbitrary-protocol-redirection-in-gitlab-pages">Arbitrary Protocol Redirection in GitLab Pages</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#redos-due-to-device-detector-parsing-user-agents">ReDoS due to device-detector parsing user agents</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#regex-dos-in-the-submodule-url-parser">Regex DOS in the Submodule Url Parser</a></td>
<td>medium</td>
</tr>
</tbody>
</table>
<h2 id="race-condition-on-gitlabcom-enables-verified-email-forgery--third-party-account-hijacking">Race condition on gitlab.com enables verified email forgery & third-party account hijacking</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/804 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4037">CVE-2022-4037</a>.</p>
<p>Thanks to an anonymous researcher for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="dos-and-high-resource-consumption-of-prometheus-server-through-abuse-of-grafana-integration-proxy-endpoint">DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/805 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A crafted Prometheus Server query can cause high resource consumption and may lead to Denial of Service. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L</code>, 5.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3613">CVE-2022-3613</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-sentry-token-by-changing-the-configured-url">Maintainer can leak sentry token by changing the configured URL</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/813 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4365">CVE-2022-4365</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-masked-webhook-secrets-by-changing-target-url-of-the-webhook">Maintainer can leak masked webhook secrets by changing target URL of the webhook</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/814 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4342">CVE-2022-4342</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="cross-site-scripting-in-wiki-changes-page-affecting-self-hosted-instances-running-without-strict-csp">Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/803 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3573">CVE-2022-3573</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryotak">ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="group-access-tokens-continue-to-work-after-owner-loses-ability-to-revoke-them">Group access tokens continue to work after owner loses ability to revoke them</h2>
<p>Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4167">CVE-2022-4167</a>.</p>
<p>This vulnerability was reported to us by a customer.</p>
<h2 id="users-avatar-disclosure-by-user-id-in-private-gitlab-instances">Users' avatar disclosure by user ID in private GitLab instances</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/801 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3870">CVE-2022-3870</a>.</p>
<p>Thanks <a href="https://hackerone.com/nocasis">nocasis</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="arbitrary-protocol-redirection-in-gitlab-pages">Arbitrary Protocol Redirection in GitLab Pages</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/811 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0042">CVE-2023-0042</a>.</p>
<p>This vulnerability has been discovered internally by a GitLab team member, Joern Schneeweisz.</p>
<h2 id="regex-dos-due-to-device-detector-parsing-user-agents">Regex DoS due to device-detector parsing user agents</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/815 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4131">CVE-2022-4131</a>.</p>
<p>Thanks <a href="https://hackerone.com/afewgoats">afewgoats</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="regex-dos-in-the-submodule-url-parser">Regex DoS in the Submodule Url Parser</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3514">CVE-2022-3514</a>.</p>
<p>Thanks <a href="https://hackerone.com/mokusou">mokusou</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>Mattermost has been updated to version 7.3.1 in order to mitigate security issues.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus 15.4 and 15.5.</p>
<h2 id="update-python">Update Python</h2>
<p>Python has been updated to version 3.8.16 in order to mitigate security issues.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus 15.5, 15.6 and 15.7.</p>
<h2 id="update-logrotate">Update Logrotate</h2>
<p>Logrotate has been updated to version 3.20.1 in order to mitigate security issues.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus 15.5, 15.6 and 15.7.</p>
<h2 id="update-redis">Update Redis</h2>
<p>Redis has been updated to version 6.2.8 in order to mitigate security issues.</p>
<h3 id="versions-affected-3">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.6.1, 15.5.5 and 15.4.6https://about.gitlab.com/releases/2022/11/30/security-release-gitlab-15-6-1-released/2022-11-30T00:00:00+00:002022-11-30T00:00:00+00:00Nikhil George<p>Today we are releasing versions 15.6.1, 15.5.5 and 15.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#dast-api-scanner-exposes-authorization-headers-in-vulnerabilities">DAST API scanner exposes Authorization headers in vulnerabilities</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#group-ip-allow-list-not-fully-respected-by-the-package-registry">Group IP allow-list not fully respected by the Package Registry</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#deploy-keys-and-tokens-may-bypass-external-authorization-service-if-it-is-enabled">Deploy keys and tokens may bypass External Authorization service if it is enabled</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#html-content-injection-in-readme-file">HTML content injection in README file</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#repository-import-still-allows-to-import-40-hexadecimal-branches">Repository import still allows to import 40 hexadecimal branches</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#webhook-secret-tokens-leaked-in-webhook-logs">Webhook secret tokens leaked in webhook logs</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-webhook-secret-token-by-changing-the-webhook-url">Maintainer can leak webhook secret token by changing the webhook URL</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#cross-site-scripting-in-jira-integration-affecting-self-hosted-instances-without-strict-csp">Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#release-names-visible-in-public-projects-despite-release-set-as-project-members-only">Release names visible in public projects despite release set as project members only</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#sidekiq-background-job-dos-by-uploading-malicious-nuget-packages">Sidekiq background job DoS by uploading malicious NuGet packages</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#email-id-leaked-through-webhook-payloads">Email ID leaked through Webhook payloads</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#blind-ssrf-in-repository-mirroring-using-dns-rebinding">Blind SSRF in repository mirroring using DNS rebinding</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#SSRF%20in%20Web%20Terminal%20advertise_address">SSRF in Web Terminal advertise_address</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="dast-api-scanner-exposes-authorization-headers-in-vulnerabilities">DAST API scanner exposes Authorization headers in vulnerabilities</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/383083 -->
<p>A sensitive information leak issue has been discovered in all versions of DAST API scanner from 1.6.50 prior to 2.0.102, exposing the Authorization header in the vulnerability report. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release of DAST API scanner and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4206">CVE-2022-4206</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="group-ip-allow-list-not-fully-respected-by-the-package-registry">Group IP allow-list not fully respected by the Package Registry</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/782 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3820">CVE-2022-3820</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="deploy-keys-and-tokens-may-bypass-external-authorization-service-if-it-is-enabled">Deploy keys and tokens may bypass External Authorization service if it is enabled</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/773 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package registries by using Deploy tokens or Deploy keys. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3740">CVE-2022-3740</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="repository-import-still-allows-to-import-40-hexadecimal-branches">Repository import still allows to import 40 hexadecimal branches</h2>
<p>In GitLab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L</code>, 6.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4205">CVE-2022-4205</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="html-content-injection-in-readme-file">HTML content injection in README file</h2>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4092">CVE-2022-4092</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="webhook-secret-tokens-leaked-in-webhook-logs">Webhook secret tokens leaked in webhook logs</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/797 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the logs after testing webhooks. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3902">CVE-2022-3902</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-webhook-secret-token-by-changing-the-webhook-url">Maintainer can leak webhook secret token by changing the webhook URL</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/795 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4054">CVE-2022-4054</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="cross-site-scripting-in-jira-integration-affecting-self-hosted-instances-without-strict-csp">Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/799 -->
<p>A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3572">CVE-2022-3572</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryotak">ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="release-names-visible-in-public-projects-despite-release-set-as-project-members-only">Release names visible in public projects despite release set as project members only</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/794 -->
<p>An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases were set to be restricted to project members only. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3482">CVE-2022-3482</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="email-id-leaked-through-webhook-payloads">Email ID leaked through Webhook payloads</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/790 -->
<p>An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4255">CVE-2022-4255</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="sidekiq-background-job-dos-by-uploading-malicious-nuget-packages">Sidekiq background job DoS by uploading malicious NuGet packages</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/793 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious NuGet package. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3478">CVE-2022-3478</a>.</p>
<p>Thanks <a href="https://hackerone.com/luryus">luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="blind-ssrf-in-repository-mirroring-using-dns-rebinding">Blind SSRF in repository mirroring using DNS rebinding</h2>
<p>A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4335">CVE-2022-4335</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="ssrf-in-web-terminal-advertise_address">SSRF in Web Terminal advertise_address</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/785 -->
<p>A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4201">CVE-2022-4201</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="update-xmlsoftlibxml2">Update xmlsoft/libxml2</h2>
<p>xmlsoft/libxml2 has been updated to version 2.10.3 in order to mitigate security issues.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus from 13.6.6.</p>
<h2 id="update-haxxcurl">Update haxx/curl</h2>
<p>haxx/curl has been updated to version 7.86.0 in order to mitigate security issues.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus 15.4 and 15.6.</p>
<h2 id="update-ruby">Update ruby</h2>
<p>ruby has been updated to version 2.7.6 in order to mitigate security issues.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus and GitLab Chart.</p>
<h2 id="update-ncurses">Update ncurses</h2>
<p>ncurses has been updated to version 6.3-20220416 to mitigate security issues.</p>
<h3 id="versions-affected-3">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="update-zlib">Update zlib</h2>
<p>zlib has been updated to version 1.2.13 to mitigate security issues.</p>
<h3 id="versions-affected-4">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus prior to 15.7.</p>
<h2 id="update-rsync">Update rsync</h2>
<p>rsync has been updated to version 3.2.6 to mitigate security issues.</p>
<h3 id="versions-affected-5">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus 15.3, 15.4, and 15.5.</p>
<h2 id="update-postgresql">Update PostgreSQL</h2>
<p>PostgreSQL has been updated to versions 12.12 and 13.8 to mitigate security issues. By default Omnibus <a href="https://docs.gitlab.com/omnibus/settings/database.html#automatic-restart-when-the-postgresql-version-changes">automatically restarts PostgreSQL</a> after the update. However, if automatic restart is disabled manual restarts would be required.</p>
<h3 id="versions-affected-6">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus 15.3, 15.4, and 15.5.</p>
<h2 id="backport-fix-for-gitaly-ntp-request-issue">Backport fix for Gitaly NTP request issue</h2>
<p>A non-security issue in Gitaly is being backported to this release. Customers that rely on public NTP services such as <code>pool.ntp.org</code> are at risk of receiving rate limited responses due to increased NTP request volume. Every readiness check results in each Praefect node making a request to the configured NTP service. Failed NTP responses result in failed readiness check. If a NTP service is not specified <code>pool.ntp.org</code> is used as the default. Deployments that rely on healthy readiness checks can experience outages. Issue Link: <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/383440">Gitaly 15.4.3 spams NTP requests</a>.</p>
<h2 id="backport-fix-for-watchdog-rssmemorylimit-monitor">Backport fix for Watchdog RssMemoryLimit monitor</h2>
<p>A non-security issue in Puma is being backported to this release. This affects self-managed instances that uses PumaWorkerKiller. PumaWorkerKiller is disabled by default on Gitlab.com and self-managed instances using helm charts. This means that gitlab.com is not affected. It is enabled by default for omnibus installations and installations from source. Issue Link: <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/383440">Convert memory_limit to bytes for RssMemoryLimit</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.
To update DAST API scanner, self-managed customers that are using our built-in DAST CI template after 15.0 can get the latest release from registry.gitlab.com. If using the always pull policy the update will occur automatically. GitLab.com is already running the updated DAST scanner.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.5.2, 15.4.4, and 15.3.5https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/2022-11-02T00:00:00+00:002022-11-02T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 15.5.2, 15.4.4, and 15.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#dast-analyzer-sends-custom-request-headers-with-every-request">DAST analyzer sends custom request headers with every request</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#stored-xss-with-csp-bypass-via-scoped-labels-color">Stored-XSS with CSP-bypass via scoped labels' color</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-datadog-api-key-by-changing-integration-url">Maintainer can leak Datadog API key by changing integration URL</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#uncontrolled-resource-consumption-when-parsing-urls">Uncontrolled resource consumption when parsing URLs</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#issue-http-requests-when-users-view-an-openapi-document-and-click-buttons">Issue HTTP requests when users view an OpenAPI document and click buttons</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#command-injection-in-ci-jobs-via-branch-name-in-ci-pipelines">Command injection in CI jobs via branch name in CI pipelines</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#open-redirection">Open redirection</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#prefill-variables-do-not-check-permission-of-the-project-in-external-ci-config">Prefill variables do not check permission of the project in external CI config</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#disclosure-of-audit-events-to-insufficiently-permissioned-group-and-project-members">Disclosure of audit events to insufficiently permissioned group and project members</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#arbitrary-gfm-references-rendered-in-jira-issue-description-leak-privateconfidential-resources">Arbitrary GFM references rendered in Jira issue description leak private/confidential resources</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#award-emojis-api-for-an-internal-note-is-accessible-to-users-without-access-to-the-note">Award emojis API for an internal note is accessible to users without access to the note</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#open-redirect-in-pipeline-artifacts-when-generating-html-documents">Open redirect in pipeline artifacts when generating HTML documents</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#retrying-a-job-in-a-downstream-pipeline-allows-the-retrying-user-to-take-ownership-of-the-retried-jobs-in-upstream-pipelines">Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#project-level-secure-files-can-be-written-out-of-the-target-directory">Project-level Secure Files can be written out of the target directory</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="dast-analyzer-sends-custom-request-headers-with-every-request">DAST analyzer sends custom request headers with every request</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/377473 -->
<p>Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N</code>, 7.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3767">CVE-2022-3767</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="stored-xss-with-csp-bypass-via-scoped-labels-color">Stored-XSS with CSP-bypass via scoped labels' color</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/770 -->
<p>A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3265">CVE-2022-3265</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-datadog-api-key-by-changing-integration-url">Maintainer can leak Datadog API key by changing integration URL</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/780 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3483">CVE-2022-3483</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryotak">ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="uncontrolled-resource-consumption-when-parsing-urls">Uncontrolled resource consumption when parsing URLs</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/768 -->
<p>An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3818">CVE-2022-3818</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="issue-http-requests-when-users-view-an-openapi-document-and-click-buttons">Issue HTTP requests when users view an OpenAPI document and click buttons</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/778 -->
<p>Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3726">CVE-2022-3726</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="command-injection-in-ci-jobs-via-branch-name-in-ci-pipelines">Command injection in CI jobs via branch name in CI pipelines</h2>
<p>Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that other user. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2251">CVE-2022-2251</a>.</p>
<p>Thanks <a href="https://hackerone.com/stanlyoncm">stanlyoncm</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="open-redirection">Open redirection</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/781 -->
<p>An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N</code>, 4.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3486">CVE-2022-3486</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryotak">ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="prefill-variables-do-not-check-permission-of-the-project-in-external-ci-config">Prefill variables do not check permission of the project in external CI config</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/761 -->
<p>An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3793">CVE-2022-3793</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="disclosure-of-audit-events-to-insufficiently-permissioned-group-and-project-members">Disclosure of audit events to insufficiently permissioned group and project members</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/771 -->
<p>Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3413">CVE-2022-3413</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="arbitrary-gfm-references-rendered-in-jira-issue-description-leak-privateconfidential-resources">Arbitrary GFM references rendered in Jira issue description leak private/confidential resources</h2>
<p>An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2761">CVE-2022-2761</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="award-emojis-api-for-an-internal-note-is-accessible-to-users-without-access-to-the-note">Award emojis API for an internal note is accessible to users without access to the note</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/783 -->
<p>An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3819">CVE-2022-3819</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="open-redirect-in-pipeline-artifacts-when-generating-html-documents">Open redirect in pipeline artifacts when generating HTML documents</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/764 -->
<p>An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3280">CVE-2022-3280</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="retrying-a-job-in-a-downstream-pipeline-allows-the-retrying-user-to-take-ownership-of-the-retried-jobs-in-upstream-pipelines">Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/779 -->
<p>Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3706">CVE-2022-3706</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="project-level-secure-files-can-be-written-out-of-the-target-directory">Project-level Secure Files can be written out of the target directory</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/376218 -->
<p>Secure Files named in a specific way could traverse outside of the target directory in the CI job. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). Only GitLab.com was affected as this feature is not yet enabled on self-managed instances and the patch has been deployed in production.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="update-openssl">Update openssl</h2>
<p>The version of openssl has been updated to <a href="https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.7">3.0.2-0ubuntu1.7</a> in order to mitigate security concerns.</p>
<h1 id="versions-affected">Versions affected</h1>
<p>Affects all versions of GitLab Dynamic Application Security Testing (DAST) Analyzer prior to 3.0.32.</p>
<h2 id="update-curl">Update curl</h2>
<p>The version of curl has been updated to 7.85.0 in order to mitigate security concerns.</p>
<h1 id="versions-affected-1">Versions affected</h1>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="update-pcre2">Update pcre2</h2>
<p>The version of pcre2 has been updated to 10.40 in order to mitigate security concerns.</p>
<h1 id="versions-affected-2">Versions affected</h1>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="non-security-fixes">Non-security fixes</h2>
<ul>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/7275">15.5.0 upgrade on CentOS 8 Stream in FIPS mode fails</a>: Backported to 15.5.</li>
<li><a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/7267">Ohai fails to build trying to find unavailable version of the dependency chef-utils</a>: Backported to 15.4 and 15.3.</li>
</ul>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<p>To update DAST scanner, self-managed customers that are using our built-in DAST CI template after 15.0 can get the latest release from <code>registry.gitlab.com</code>. If using the <a href="https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy">always pull policy</a> the update will occur automatically. GitLab.com is already running the updated DAST scanner.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.4.1, 15.3.4, and 15.2.5https://about.gitlab.com/releases/2022/09/29/security-release-gitlab-15-4-1-released/2022-09-29T00:00:00+00:002022-09-29T00:00:00+00:00Nick Malcolm<p>Today we are releasing versions 15.4.1, 15.3.4, and 15.2.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#denial-of-service-via-cloning-an-issue">Denial of Service via cloning an issue</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#arbitrary-put-request-as-victim-user-through-sentry-error-list">Arbitrary PUT request as victim user through Sentry error list</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#content-injection-via-external-status-checks">Content injection via External Status Checks</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#project-maintainers-can-access-datadog-api-key-from-logs">Project maintainers can access Datadog API Key from logs</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unsafe-serialization-of-json-data-could-lead-to-sensitive-data-leakage">Unsafe serialization of Json data could lead to sensitive data leakage</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#import-bug-allows-importing-of-private-local-git-repos">Import bug allows importing of private local git repos</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-leak-github-access-tokens-by-changing-integration-url-even-after-1521-patch">Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthorized-users-able-to-create-issues-in-any-project">Unauthorized users able to create issues in any project</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#bypass-group-ip-restriction-on-dependency-proxy">Bypass group IP restriction on Dependency Proxy</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#healthcheck-endpoint-allow-list-can-be-bypassed-when-accessed-over-http-in-an-https-enabled-system">Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#disclosure-of-todo-details-to-guest-users">Disclosure of Todo details to guest users</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#a-users-primary-email-may-be-disclosed-through-group-member-events-webhooks">A user's primary email may be disclosed through group member events webhooks</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#content-manipulation-due-to-branchtag-name-confusion-with-the-default-branch-name">Content manipulation due to branch/tag name confusion with the default branch name</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#leakage-of-email-addresses-in-webhook-logs">Leakage of email addresses in WebHook logs</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#specially-crafted-output-makes-job-logs-inaccessible">Specially crafted output makes job logs inaccessible</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="denial-of-service-via-cloning-an-issue">Denial of Service via cloning an issue</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/766 -->
<p>A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description could have been used to trigger high CPU usage. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code> 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3283">CVE-2022-3283</a>.</p>
<p>Thanks <a href="https://hackerone.com/legit-security">legit-security</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="arbitrary-put-request-as-victim-user-through-sentry-error-list">Arbitrary PUT request as victim user through Sentry error list</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/739 -->
<p>Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3060">CVE-2022-3060</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">@joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="content-injection-via-external-status-checks">Content injection via External Status Checks</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/736 -->
<p>A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2904">CVE-2022-2904</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="project-maintainers-can-access-datadog-api-key-from-logs">Project maintainers can access Datadog API Key from logs</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/717 -->
<p>An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3018">CVE-2022-3018</a></p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="unsafe-serialization-of-json-data-could-lead-to-sensitive-data-leakage">Unsafe serialization of Json data could lead to sensitive data leakage</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/735 -->
<p>Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3291">CVE-2022-3291</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="import-bug-allows-importing-of-private-local-git-repos">Import bug allows importing of private local git repos</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/758 -->
<p>An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitrary projects' content given the project's ID. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3067">CVE-2022-3067</a></p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-leak-github-access-tokens-by-changing-integration-url-even-after-1521-patch">Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/762 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2882">CVE-2022-2882</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthorized-users-able-to-create-issues-in-any-project">Unauthorized users able to create issues in any project</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/759 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3066">CVE-2022-3066</a></p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bypass-group-ip-restriction-on-dependency-proxy">Bypass group IP restriction on Dependency Proxy</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/740 -->
<p>Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3286">CVE-2022-3286</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="healthcheck-endpoint-allow-list-can-be-bypassed-when-accessed-over-http-in-an-https-enabled-system">Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system</h2>
<!-- https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/issues/64 -->
<p>Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3285">CVE-2022-3285</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="disclosure-of-todo-details-to-guest-users">Disclosure of Todo details to guest users</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/726 -->
<p>It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3330">CVE-2022-3330</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="a-users-primary-email-may-be-disclosed-through-group-member-events-webhooks">A user's primary email may be disclosed through group member events webhooks</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/772 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A user's primary email may be disclosed to an attacker through group member events webhooks. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3351">CVE-2022-3351</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">@joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="content-manipulation-due-to-branchtag-name-confusion-with-the-default-branch-name">Content manipulation due to branch/tag name confusion with the default branch name</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/713 -->
<p>A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3288">CVE-2022-3288</a></p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="leakage-of-email-addresses-in-webhook-logs">Leakage of email addresses in WebHook logs</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/756 -->
<p>Email addresses were leaked in WebHook logs in GitLab EE affecting all versions from 9.3 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3293">CVE-2022-3293</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="specially-crafted-output-makes-job-logs-inaccessible">Specially crafted output makes job logs inaccessible</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/767 -->
<p>An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3279">CVE-2022-3279</a></p>
<p>Thanks <a href="https://hackerone.com/exem_pt">exem_pt</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="enforce-editing-approval-rules-on-project-level">Enforce editing approval rules on project level</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/760 -->
<p>Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3325">CVE-2022-3325</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="update-grafana">Update Grafana</h2>
<!-- https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/issues/63 -->
<p>Grafana has been patched in order to mitigate "CVE-2022-31107 - Grafana account takeover via OAuth vulnerability".</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>Mattermost has been updated to version 7.1.3 in order to mitigate security issues.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h2 id="backport-fix-for-geo-lfs-issue">Backport fix for Geo LFS issue</h2>
<p>A non-security issue in Geo LFS is being backported to our <code>15.2.5</code> release: <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/371397">"Geo: invalid lfs object deletion on secondary when managed object replication is disabled"</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 15.3.2, 15.2.4 and 15.1.6https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/2022-08-30T00:00:00+00:002022-08-30T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 15.3.2, 15.2.4 and 15.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for August.</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#remote-command-execution-via-github-import">Remote Command Execution via GitHub import</a></td>
<td>critical</td>
</tr>
<tr>
<td><a href="#stored-xss-via-labels-color">Stored XSS via labels color</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#content-injection-via-incidents-timeline-description">Content injection via Incidents Timeline description</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#denial-of-service-via-issue-preview">Denial of Service via Issue preview</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#lack-of-length-validation-in-snippets-leads-to-denial-of-service">Lack of length validation in Snippets leads to Denial of Service</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#group-ip-allow-list-not-fully-respected-by-the-package-registry">Group IP allow-list not fully respected by the Package Registry</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#abusing-gitalygettreeentries-calls-leads-to-denial-of-service">Abusing Gitaly.GetTreeEntries calls leads to denial of service</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#arbitrary-http-requests-possible-in-ipynb-notebook-with-malicious-form-tags">Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#read-repository-content-via-livepreview-feature">Read repository content via LivePreview feature</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#regular-expression-denial-of-service-via-special-crafted-input">Regular Expression Denial of Service via special crafted input</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#information-disclosure-via-arbitrary-gfm-references-rendered-in-incident-timeline-events">Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-via-the-create-branch-api">Denial of Service via the Create branch API</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#brute-force-attack-may-guess-a-password-even-when-2fa-is-enabled">Brute force attack may guess a password even when 2FA is enabled</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#idor-in-zentao-integration-leaked-issue-details">IDOR in Zentao integration leaked issue details</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="remote-command-execution-via-github-import">Remote Command Execution via GitHub import</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/755 -->
<p>A vulnerability in GitLab CE/EE affecting all versions from 11.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. This is a critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2992">CVE-2022-2992</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="stored-xss-via-labels-color">Stored XSS via labels color</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/749 -->
<p>A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to exploit a vulnerability in setting the labels color feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2865">CVE-2022-2865</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="content-injection-via-incidents-timeline-description">Content injection via Incidents Timeline description</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/729 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2527">CVE-2022-2527</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="lack-of-length-validation-in-snippets-leads-to-denial-of-service">Lack of length validation in Snippets leads to Denial of Service</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/731 -->
<p>A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allows an authenticated attacker to create a maliciously large Snippet which when requested with or without authentication places excessive load on the server, potentially leading to Denial of Service. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2592">CVE-2022-2592</a>.</p>
<p>Thanks <a href="https://hackerone.com/cryptopone">cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="group-ip-allow-list-not-fully-respected-by-the-package-registry">Group IP allow-list not fully respected by the Package Registry</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/706 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2533">CVE-2022-2533</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="abusing-gitalygettreeentries-calls-leads-to-denial-of-service">Abusing Gitaly.GetTreeEntries calls leads to denial of service</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/709 -->
<p>A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2455">CVE-2022-2455</a>.</p>
<p>Thanks <a href="https://hackerone.com/0xn3va">0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="arbitrary-http-requests-possible-in-ipynb-notebook-with-malicious-form-tags">Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/748 -->
<p>A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allows an attacker to issue arbitrary HTTP requests. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2428">CVE-2022-2428</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="read-repository-content-via-livepreview-feature">Read repository content via LivePreview feature</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/349388 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 10.8 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to read repository content by an unauthorised user if a project member used a crafted link. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2907">CVE-2022-2907</a>.</p>
<p>Thanks <a href="https://hackerone.com/niraeth">niraeth</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="regular-expression-denial-of-service-via-special-crafted-input">Regular Expression Denial of Service via special crafted input</h2>
<p>A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2908">CVE-2022-2908</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryhmnlfj">ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="information-disclosure-via-arbitrary-gfm-references-rendered-in-incident-timeline-events">Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/745 -->
<p>An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2630">CVE-2022-2630</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="denial-of-service-via-the-create-branch-api">Denial of Service via the Create branch API</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/366876 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Improper data handling on branch creation could have been used to trigger high CPU usage. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3639">CVE-2022-3639</a>.</p>
<p>Thanks <a href="https://gitlab.com/elise">elise</a> for reporting this vulnerability.</p>
<h2 id="denial-of-service-via-issue-preview">Denial of Service via Issue preview</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/361982 -->
<p>A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high CPU usage. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2931">CVE-2022-2931</a>.</p>
<p>Thanks <a href="https://hackerone.com/legit-security">legit-security</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="idor-in-zentao-integration-leaked-issue-details">IDOR in Zentao integration leaked issue details</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/360372 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak project issues. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3331">CVE-2022-3331</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="brute-force-attack-may-guess-a-password-even-when-2fa-is-enabled">Brute force attack may guess a password even when 2FA is enabled</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/340395 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.
This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3031">CVE-2022-3031</a>.</p>
<p>This vulnerability was reported to us by a customer.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/2022-08-22T00:00:00+00:002022-08-22T00:00:00+00:00Nick Malcolm<p>Today we are releasing versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#Remote%20Command%20Execution%20via%20Github%20import">Remote Command Execution via Github import</a></td>
<td>Critical</td>
</tr>
</tbody>
</table>
<h2 id="remote-command-execution-via-github-import">Remote Command Execution via Github import</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/371098 -->
<p>A vulnerability in GitLab CE/EE affecting all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. This is a Critical severity issue (<code>AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2884">CVE-2022-2884</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="workarounds">Workarounds</h3>
<p>If you're unable to upgrade right away, you can secure your GitLab
installation against this vulnerability using the workaround outlined
below until you have time to upgrade.</p>
<h4 id="disable-github-import">Disable GitHub import</h4>
<p>Login using an administrator account to your GitLab installation and perform the
following:</p>
<ol>
<li>Click "Menu" -> "Admin".</li>
<li>Click "Settings" -> "General".</li>
<li>Expand the "Visibility and access controls" tab.</li>
<li>Under "Import sources" disable the "GitHub" option.</li>
<li>Click "Save changes".</li>
</ol>
<h3 id="verifying-the-workaround">Verifying the workaround</h3>
<ol>
<li>In a browser window, login as any user.</li>
<li>Click "+" on the top bar.</li>
<li>Click "New project/repository".</li>
<li>Click "Import project".</li>
<li>Verify that "GitHub" does not appear as an import option.</li>
</ol>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 15.2.1, 15.1.4, and 15.0.5https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/2022-07-28T00:00:00+00:002022-07-28T00:00:00+00:00Rohit Shambhuni<p>Today we are releasing versions 15.2.1, 15.1.4, and 15.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="breaking-change">Breaking change</h2>
<p>In July 2019 we fixed a vulnerability related to very large CI/CD configuration files and the <code>ci_yaml_limit_size</code> feature flag was introduced as a way to disable the patch, if needed. We are now removing that feature flag as well, to remove the possibility of disabling the patch.</p>
<p>You are not affected by this change if the feature flag was not manually disabled. You can refer to <a href="https://docs.gitlab.com/ee/administration/feature_flags.html#check-if-a-feature-flag-is-enabled">our documentation</a> for instructions on how to check the state of a feature flag.</p>
<p>If you've disabled this feature flag and like to maintain the existing behavior and avoid a breaking change, you can refer to our <a href="https://docs.gitlab.com/ee/administration/instance_limits.html#maximum-size-and-depth-of-cicd-configuration-yaml-files">documentation</a> for instructions on how to configure the size of your CI/CD configuration file from the rails console.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#maintainer-can-leak-packagist-and-other-integration-access-tokens-by-changing-integration-url">Maintainer can leak Packagist and other integration access tokens by changing integration URL</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#revoke-access-to-confidential-notes-todos">Revoke access to confidential notes todos</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#pipeline-subscriptions-trigger-new-pipelines-with-the-wrong-author">Pipeline subscriptions trigger new pipelines with the wrong author</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#ability-to-gain-access-to-private-project-through-an-email-invite-by-using-other-users-email-address-as-an-unverified-secondary-email">Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#import-via-git-protocol-allows-to-bypass-checks-on-repository">Import via git protocol allows to bypass checks on repository</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthenticated-ip-allowlist-bypass-when-accessing-job-artifacts-through-gitlab-pages">Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthenticated-access-to-victims-grafana-datasources-through-path-traversal">Unauthenticated access to victims Grafana datasources through path traversal</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthorized-users-can-filter-issues-by-contact-and-organization">Unauthorized users can filter issues by contact and organization</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#malicious-maintainer-may-change-the-visibility-of-project-or-a-group">Malicious Maintainer may change the visibility of project or a group</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#stored-xss-in-job-error-messages">Stored XSS in job error messages</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#enforced-group-mfa-can-be-bypassed-when-using-resource-owner-password-credentials-grant">Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#non-project-members-can-view-public-projects-deploy-keys">Non project members can view public project's Deploy Keys</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#idor-in-project-with-jira-integration-leaks-project-owners-other-projects-jira-issues">IDOR in project with Jira integration leaks project owner's other projects Jira issues</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#group-bot-users-and-tokens-not-deleted-after-group-deletion">Group Bot Users and Tokens not deleted after group deletion</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#email-invited-members-can-join-projects-even-after-the-member-lock-has-been-enabled">Email invited members can join projects even after the member lock has been enabled</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#datadog-integration-returns-user-emails">Datadog integration returns user emails</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="maintainer-can-leak-packagist-and-other-integration-access-tokens-by-changing-integration-url">Maintainer can leak Packagist and other integration access tokens by changing integration URL</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/703 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A malicious maintainer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N</code>, 8.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2497">CVE-2022-2497</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="revoke-access-to-confidential-notes-todos">Revoke access to confidential notes todos</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/705 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. Membership changes are not reflected in TODO for confidential notes, allowing a former project members to read updates via TODOs. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2512">CVE-2022-2512</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="pipeline-subscriptions-trigger-new-pipelines-with-the-wrong-author">Pipeline subscriptions trigger new pipelines with the wrong author</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/642 -->
<p>An issue in pipeline subscriptions in GitLab EE affecting all versions starting from 12.8 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2498">CVE-2022-2498</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="ability-to-gain-access-to-private-project-through-an-email-invite-by-using-other-users-email-address-as-an-unverified-secondary-email">Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/685 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2326">CVE-2022-2326</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="import-via-git-protocol-allows-to-bypass-checks-on-repository">Import via git protocol allows to bypass checks on repository</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/715 -->
<p>Insufficient validation in GitLab CE/EE affecting all versions starting from 12.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N</code>, 6.2). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2417">CVE-2022-2417</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="unauthenticated-ip-allowlist-bypass-when-accessing-job-artifacts-through-gitlab-pages">Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/722 -->
<p>An improper access control issue in GitLab EE affecting all versions starting from 12.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2501">CVE-2022-2501</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthenticated-access-to-victims-grafana-datasources-through-path-traversal">Unauthenticated access to victims Grafana datasources through path traversal</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/701 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was not performing correct authentication on Grafana API under specific conditions allowing unauthenticated users to perform queries through a path traversal vulnerability. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2531">CVE-2022-2531</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthorized-users-can-filter-issues-by-contact-and-organization">Unauthorized users can filter issues by contact and organization</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/716 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1, allowed a project member to filter issues by contact and organization. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2539">CVE-2022-2539</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="malicious-maintainer-may-change-the-visibility-of-project-or-a-group">Malicious Maintainer may change the visibility of project or a group</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/708 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for malicious group or project maintainers to change their corresponding group or project visibility by crafting a malicious POST request. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2456">CVE-2022-2456</a>.</p>
<p>Thanks <a href="https://hackerone.com/suruli">suruli</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="stored-xss-in-job-error-messages">Stored XSS in job error messages</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/720 -->
<p>A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2500">CVE-2022-2500</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="enforced-group-mfa-can-be-bypassed-when-using-resource-owner-password-credentials-grant">Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/698 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2303">CVE-2022-2303</a>.</p>
<p>Thanks <a href="https://hackerone.com/albatraoz">albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="non-project-members-can-view-public-projects-deploy-keys">Non project members can view public project's Deploy Keys</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/724 -->
<p>An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks for nor stores the private key. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2095">CVE-2022-2095</a>.</p>
<p>Thanks <a href="https://hackerone.com/jimeno">jimeno</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="idor-in-project-with-jira-integration-leaks-project-owners-other-projects-jira-issues">IDOR in project with Jira integration leaks project owner's other projects Jira issues</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/702 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab's Jira integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Jira issues. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2499">CVE-2022-2499</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="group-bot-users-and-tokens-not-deleted-after-group-deletion">Group Bot Users and Tokens not deleted after group deletion</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/694 -->
<p>A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2307">CVE-2022-2307</a>.</p>
<p>This vulnerability has been discovered by the JiHu team.</p>
<h2 id="email-invited-members-can-join-projects-even-after-the-member-lock-has-been-enabled">Email invited members can join projects even after the member lock has been enabled</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/718 -->
<p>An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2459">CVE-2022-2459</a>.</p>
<p>Thanks <a href="https://hackerone.com/justas_b">justas_b</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="datadog-integration-returns-user-emails">Datadog integration returns user emails</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/704 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was returning contributor emails due to improper data handling in the Datadog integration. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N</code>, 2.2). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2534">CVE-2022-2534</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="update-bzip2">Update bzip2</h2>
<p>The version of bzip2 has been updated to 1.0.8 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="update-exiftool">Update exiftool</h2>
<p>The version of exiftool has been updated to 12.42 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/2022-06-30T00:00:00+00:002022-06-30T00:00:00+00:00Nikhil George<p>Today we are releasing versions 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). <em>Please note, this critical release will also serve as our monthly security release for June</em>.</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#remote-command-execution-via-project-imports">Remote Command Execution via Project Imports</a></td>
<td>critical</td>
</tr>
<tr>
<td><a href="#xss-in-zentao-integration-affecting-self-hosted-instances-without-strict-csp">XSS in ZenTao integration affecting self hosted instances without strict CSP</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#xss-in-project-settings-page">XSS in project settings page</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#unallowed-users-can-read-unprotected-ci-variables">Unallowed users can read unprotected CI variables</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#ip-allow-list-bypass-to-access-container-registries">IP allow-list bypass to access Container Registries</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#2fa-status-is-disclosed-to-unauthenticated-users">2FA status is disclosed to unauthenticated users</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#idor-in-sentry-issues">IDOR in sentry issues</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#reporters-can-manage-issues-in-error-tracking">Reporters can manage issues in error tracking</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#ci-variables-provided-to-runners-outside-of-a-group's-restricted-ip-range">CI variables provided to runners outside of a group's restricted IP range</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#regular-expression-denial-of-service-via-malicious-web-server-responses">Regular Expression Denial of Service via malicious web server responses</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthorized-read-for-conan-repository">Unauthorized read for conan repository</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#open-redirect-vulnerability">Open redirect vulnerability</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#group-labels-are-editable-through-subproject">Group labels are editable through subproject</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#release-titles-visible-for-any-users-if-group-milestones-are-associated-with-any-project-releases">Release titles visible for any users if group milestones are associated with any project releases</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#restrict-membership-by-email-domain-bypass">Restrict membership by email domain bypass</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#job-information-is-leaked-to-users-who-previously-were-maintainers-via-the-runner-jobs-api-endpoint">Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="remote-command-execution-via-project-imports">Remote Command Execution via Project Imports</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/695 -->
<p>A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution. This is a critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2185">CVE-2022-2185</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="xss-in-zentao-integration-affecting-self-hosted-instances-without-strict-csp">XSS in ZenTao integration affecting self hosted instances without strict CSP</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/676 -->
<p>Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2235">CVE-2022-2235</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="xss-in-project-settings-page">XSS in project settings page</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/684 -->
<p>A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2230">CVE-2022-2230</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unallowed-users-can-read-unprotected-ci-variables">Unallowed users can read unprotected CI variables</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/686 -->
<p>An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2229">CVE-2022-2229</a>.</p>
<p>Thanks <a href="https://hackerone.com/shell3c">shell3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="ip-allow-list-bypass-to-access-container-registries">IP allow-list bypass to access Container Registries</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/679 -->
<p>Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1983">CVE-2022-1983</a>.</p>
<p>This issue was found internally by a member of the GitLab team.</p>
<h2 id="2fa-status-is-disclosed-to-unauthenticated-users">2FA status is disclosed to unauthenticated users</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/675 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1963">CVE-2022-1963</a>.</p>
<p>Thanks <a href="https://hackerone.com/albatraoz">albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="ci-variables-provided-to-runners-outside-of-a-groups-restricted-ip-range">CI variables provided to runners outside of a group's restricted IP range</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/682 -->
<p>Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2228">CVE-2022-2228</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team</p>
<h2 id="idor-in-sentry-issues">IDOR in sentry issues</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/680 -->
<p>An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2243">CVE-2022-2243</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="reporters-can-manage-issues-in-error-tracking">Reporters can manage issues in error tracking</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/680 -->
<p>An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error tracking feature. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2244">CVE-2022-2244</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="regular-expression-denial-of-service-via-malicious-web-server-responses">Regular Expression Denial of Service via malicious web server responses</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/671 -->
<p>A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1954">CVE-2022-1954</a>.</p>
<p>Thanks <a href="https://hackerone.com/afewgoats">afewgoats</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthorized-read-for-conan-repository">Unauthorized read for conan repository</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/670 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2270">CVE-2022-2270</a>.</p>
<p>Thanks <a href="https://hackerone.com/fushbey">fushbey</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="open-redirect-vulnerability">Open redirect vulnerability</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/687 -->
<p>An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows redirect users to a malicious location. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N</code>, 4.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2250">CVE-2022-2250</a>.</p>
<p>Thanks <a href="https://hackerone.com/stealthy">stealthy</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="group-labels-are-editable-through-subproject">Group labels are editable through subproject</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/683 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1999">CVE-2022-1999</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="release-titles-visible-for-any-users-if-group-milestones-are-associated-with-any-project-releases">Release titles visible for any users if group milestones are associated with any project releases</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/690 -->
<p>An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2281">CVE-2022-2281</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="restrict-membership-by-email-domain-bypass">Restrict membership by email domain bypass</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/668 -->
<p>An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1981">CVE-2022-1981</a>.</p>
<p>Thanks <a href="https://hackerone.com/muthu_prakash">muthu_prakash</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="job-information-is-leaked-to-users-who-previously-were-maintainers-via-the-runner-jobs-api-endpoint">Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/667 -->
<p>Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2227">CVE-2022-2227</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-rack">Update rack</h2>
<p>The version of rack has been updated to 2.2.3.1 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 15.0.1, 14.10.4, and 14.9.5https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/2022-06-01T00:00:00+00:002022-06-01T00:00:00+00:00Nick Malcolm<p>Today we are releasing versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). <em>Please note, this critical release will also serve as our monthly security release for May.</em></p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released approximately one week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#account-take-over-via-scim-email-change">Account take over via SCIM email change</a></td>
<td>critical</td>
</tr>
<tr>
<td><a href="#stored-xss-in-jira-integration">Stored XSS in Jira integration</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#quick-action-commands-susceptible-to-xss">Quick action commands susceptible to XSS</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#ip-allowlist-bypass-when-using-trigger-tokens">IP allowlist bypass when using Trigger tokens</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#ip-allowlist-bypass-when-using-project-deploy-tokens">IP allowlist bypass when using Project Deploy Tokens</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-authorization-in-the-interactive-web-terminal">Improper authorization in the Interactive Web Terminal</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#subgroup-member-can-list-members-of-parent-group">Subgroup member can list members of parent group</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#group-member-lock-bypass">Group member lock bypass</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="account-take-over-via-scim-email-change">Account take over via SCIM email change</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/669 -->
<p>An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account. This is a critical severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1680">CVE-2022-1680</a>.</p>
<p>This vulnerability was discovered internally by a member of the GitLab team.</p>
<p>Self-managed administrators can check whether <code>group_saml</code> is enabled by reviewing <a href="https://docs.gitlab.com/ee/integration/saml.html#configuring-group-saml-on-a-self-managed-gitlab-instance">"Configuring Group SAML on a self-managed GitLab instance"</a>.</p>
<h2 id="stored-xss-in-jira-integration">Stored XSS in Jira integration</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/674 -->
<p>A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1940">CVE-2022-1940</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="quick-action-commands-susceptible-to-xss">Quick action commands susceptible to XSS</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/673 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1948">CVE-2022-1948</a>.</p>
<p>Thanks <a href="https://hackerone.com/cryptopone">cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="ip-allowlist-bypass-when-using-trigger-tokens">IP allowlist bypass when using Trigger tokens</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/678 -->
<p>Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configured. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1935">CVE-2022-1935</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="ip-allowlist-bypass-when-using-project-deploy-tokens">IP allowlist bypass when using Project Deploy Tokens</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/677 -->
<p>Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1936">CVE-2022-1936</a>.</p>
<p>This was reported by a customer through our Responsible Vulnerability Disclosure process.</p>
<h2 id="improper-authorization-in-the-interactive-web-terminal">Improper authorization in the Interactive Web Terminal</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/662 -->
<p>When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1944">CVE-2022-1944</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="subgroup-member-can-list-members-of-parent-group">Subgroup member can list members of parent group</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/672 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1821">CVE-2022-1821</a>.</p>
<p>This vulnerability was discovered internally by a member of the GitLab team.</p>
<h2 id="group-member-lock-bypass">Group member lock bypass</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/660 -->
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1783">CVE-2022-1783</a>.</p>
<p>Thanks <a href="https://hackerone.com/salh4ckr">salh4ckr</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>The version of Mattermost has been updated to 6.6.1 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects GitLab Omnibus prior to 15.0.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.10.1, 14.9.4, and 14.8.6https://about.gitlab.com/releases/2022/05/02/security-release-gitlab-14-10-1-released/2022-05-02T00:00:00+00:002022-05-02T00:00:00+00:00Michael Henriksen<p>Today we are releasing versions 14.10.1, 14.9.4, and 14.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#improper-access-control-in-cicd-cache-mechanism">Improper access control in CI/CD cache mechanism</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#redos-on-ci-editor-and-ci-pipeline-detail-pages">ReDoS on CI Editor and CI Pipeline detail pages</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#user-with-developer-role-group-can-modify-protected-branches---allowed-to-merge-setting-on-imported-project">User with developer role (group) can modify Protected branches -> Allowed to merge setting on imported project</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#maintainer-can-execute-scheduled-ci-pipeline-as-another-user">Maintainer can execute scheduled CI pipeline as another user</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#missing-input-masking-on-sensitive-integration-properties">Missing input masking on sensitive integration properties</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#api-discloses-issue-titles-of-limited-projects">API discloses issue titles of limited projects</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#confidential-notes-disclosure">Confidential notes disclosure</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-rack-attack-discriminator-for-authenticated_packages_api-with-a-deploy-token">Improper rack-attack discriminator for <code>authenticated_packages_api</code> with a deploy token</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-access-control-in-project-members-only-wiki">Improper access control in Project Members-only Wiki</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#guest-project-member-can-access-trace-log-of-jobs-when-it-is-enabled">Guest project member can access trace log of jobs when it is enabled</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#html-and-css-injection-in-pipeline-error-messages">HTML and CSS injection in pipeline error messages</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#forging-get-requests-through-and-denying-service-of-simple-pypi-api-endpoint">Forging GET Requests through and Denying Service of Simple PyPi API Endpoint</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#missing-invalidation-of-markdown-cache-causes-potential-xss-payloads-to-persist">Missing invalidation of Markdown cache causes potential XSS payloads to persist</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#conan-api-incorrectly-processes-jwt-encoded-personal-access-tokens">Conan API incorrectly processes JWT-encoded Personal Access Tokens</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="improper-access-control-in-cicd-cache-mechanism">Improper access control in CI/CD cache mechanism</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/649 -->
<p>Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions from 1.0.2 before 14.8.6 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N</code>, 7.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1423">CVE-2022-1423</a>.</p>
<p>Thanks <a href="https://hackerone.com/wapiflapi">wapiflapi</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="redos-on-ci-editor-and-ci-pipeline-detail-pages">ReDoS on CI Editor and CI Pipeline detail pages</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/641 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 13.9 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious text in the CI Editor and CI Pipeline details page allowing the attacker to cause uncontrolled resource consumption. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1510">CVE-2022-1510</a>.</p>
<p>Thanks <a href="https://hackerone.com/stunninglemon">stunninglemon</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="user-with-developer-role-group-can-modify-protected-branches---allowed-to-merge-setting-on-imported-project">User with developer role (group) can modify Protected branches -> Allowed to merge setting on imported project</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/636 -->
<p>Improper input validation in GitLab CE/EE affecting all versions from 8.12 prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0 allows a Developer to read protected Group or Project CI/CD variables by importing a malicious project. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1406">CVE-2022-1406</a>.</p>
<p>Thanks <a href="https://hackerone.com/justas_b">@justas_b</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="maintainer-can-execute-scheduled-ci-pipeline-as-another-user">Maintainer can execute scheduled CI pipeline as another user</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/658 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N</code>, 6.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1460">CVE-2022-1460</a>.</p>
<p>Thanks <a href="https://hackerone.com/peterl">peterl</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="missing-input-masking-on-sensitive-integration-properties">Missing input masking on sensitive integration properties</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/646 -->
<p>Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6 causes potentially sensitive integration properties to be disclosed in the web interface. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1413">CVE-2022-1413</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="api-discloses-issue-titles-of-limited-projects">API discloses issue titles of limited projects</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/655 -->
<p>Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1352">CVE-2022-1352</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="confidential-notes-disclosure">Confidential notes disclosure</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/644 -->
<p>It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="improper-rack-attack-discriminator-for-authenticated_packages_api-with-a-deploy-token">Improper rack-attack discriminator for <code>authenticated_packages_api</code> with a deploy token</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/652 -->
<p>An issue has been discovered in GitLab affecting all versions before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was incorrectly verifying throttling limits for authenticated package requests which resulted in limits not being enforced. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1428">CVE-2022-1428</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="improper-access-control-in-project-members-only-wiki">Improper access control in Project Members-only Wiki</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/647 -->
<p>Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 8.13 before 14.9.4, and all versions starting from 8.14 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1417">CVE-2022-1417</a>.</p>
<p>Thanks <a href="https://hackerone.com/shells3c">shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="guest-project-member-can-access-trace-log-of-jobs-when-it-is-enabled">Guest project member can access trace log of jobs when it is enabled</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/634 -->
<p>An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1124">CVE-2022-1124</a>.</p>
<p>Thanks <a href="https://hackerone.com/jimeno">jimeno</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="html-and-css-injection-in-pipeline-error-messages">HTML and CSS injection in pipeline error messages</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/645 -->
<p>Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6 allows for rendering of attacker controlled HTML tags and CSS styling. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1416">CVE-2022-1416</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="forging-get-requests-through-and-denying-service-of-simple-pypi-api-endpoint">Forging GET Requests through and Denying Service of Simple PyPi API Endpoint</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/659 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious requests to the PyPi API endpoint allowing the attacker to cause uncontrolled resource consumption. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1431">CVE-2022-1431</a>.</p>
<p>Thanks <a href="https://hackerone.com/iwis">iwis</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="missing-invalidation-of-markdown-cache-causes-potential-xss-payloads-to-persist">Missing invalidation of Markdown cache causes potential XSS payloads to persist</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/654 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. Missing invalidation of Markdown caching causes potential payloads from a previously exploitable XSS vulnerability (CVE-2022-1175) to persist and execute. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1433">CVE-2022-1433</a>.</p>
<p>Thanks <a href="https://hackerone.com/stacksmashing">stacksmashing</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="conan-api-incorrectly-processes-jwt-encoded-personal-access-tokens">Conan API incorrectly processes JWT-encoded Personal Access Tokens</h2>
<!-- https://gitlab.com/gitlab-org/security/gitlab/-/issues/635 -->
<p>An issue has been discovered in GitLab affecting all versions starting from 12.6 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly authenticating a user that had some certain amount of information which allowed an user to authenticate without a personal access token. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N</code>, 2.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1426">CVE-2022-1426</a>.</p>
<p>Thanks <a href="https://hackerone.com/firelizzard">firelizzard</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-zlib">Update Zlib</h2>
<p>The version of Zlib has been updated to 1.2.12 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects GitLab Omnibus prior to 14.8</p>
<h2 id="update-ipynbdiff">Update Ipynbdiff</h2>
<p>The version of Ipynbdiff has been updated to 0.4.5 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE prior to 14.10</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/2022-03-31T00:00:00+00:002022-03-31T00:00:00+00:00Dominic Couture<p><strong>Updated 14:50 UTC 2022-04-01</strong> We have updated this blog post with <a href="#script-to-identify-users-potentially-impacted-by-cve-2022-1162">a script to be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162</a>.</p>
<p>Today we are releasing versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). <em>Please note, this critical release will also serve as our monthly security release for March.</em></p>
<h3 id="we-strongly-recommend-that-all-gitlab-installations-be-upgraded-to-one-of-these-versions-immediately">We strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</h3>
<p>These versions contain important security fixes. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<p>When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#static-passwords-inadvertently-set-during-omniauth-based-registration">Static passwords inadvertently set during OmniAuth-based registration</a></td>
<td>critical</td>
</tr>
<tr>
<td><a href="#stored-xss-in-notes">Stored XSS in notes</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#stored-xss-on-multi-word-milestone-reference">Stored XSS on Multi-word milestone reference</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#denial-of-service-caused-by-a-specially-crafted-rdoc-file">Denial of service caused by a specially crafted RDoc file</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#gitlab-pages-access-tokens-can-be-reused-on-multiple-domains">GitLab Pages access tokens can be reused on multiple domains</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#gitlab-pages-uses-default-disabled-server-timeouts-and-a-weak-tcp-keep-alive-timeout">GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#incorrect-include-in-pipeline-definition-exposes-masked-ci-variables-in-ui">Incorrect include in pipeline definition exposes masked CI variables in UI</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#regular-expression-denial-of-service-in-release-asset-link">Regular expression denial of service in release asset link</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#latest-commit-details-from-private-projects-leaked-to-guest-users-via-merge-requests">Latest Commit details from private projects leaked to guest users via Merge Requests</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#cicd-analytics-are-available-even-when-public-pipelines-are-disabled">CI/CD analytics are available even when public pipelines are disabled</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#absence-of-limit-for-the-number-of-tags-that-can-be-added-to-a-runner-can-cause-performance-issues">Absence of limit for the number of tags that can be added to a runner can cause performance issues</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#client-dos-through-rendering-crafted-comments">Client DoS through rendering crafted comments</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#blind-ssrf-through-repository-mirroring">Blind SSRF Through Repository Mirroring</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#bypass-of-branch-restriction-in-asana-integration">Bypass of branch restriction in Asana integration</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#readable-approval-rules-by-guest-user">Readable approval rules by Guest user</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#redact-invalidurierror-error-messages">Redact InvalidURIError error messages</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#project-import-maps-members-created_by_id-users-based-on-source-user-id">Project import maps members' created_by_id users based on source user ID</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="static-passwords-inadvertently-set-during-omniauth-based-registration">Static passwords inadvertently set during OmniAuth-based registration</h2>
<p>A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</code>, 9.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1162">CVE-2022-1162</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<p><strong><em>Note:</em></strong> We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.</p>
<h2 id="stored-xss-in-notes">Stored XSS in notes</h2>
<p>Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1175">CVE-2022-1175</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="stored-xss-on-multi-word-milestone-reference">Stored XSS on Multi-word milestone reference</h2>
<p>Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1190">CVE-2022-1190</a>.</p>
<p>Thanks <a href="https://hackerone.com/ryhmnlfj">ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h2 id="denial-of-service-caused-by-a-specially-crafted-rdoc-file">Denial of service caused by a specially crafted RDoc file</h2>
<p>A denial of service vulnerability when rendering RDoc files in GitLab CE/EE versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an attacker to crash the GitLab web application with a maliciously crafted RDoc file. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1185">CVE-2022-1185</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="gitlab-pages-access-tokens-can-be-reused-on-multiple-domains">GitLab Pages access tokens can be reused on multiple domains</h2>
<p>Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1148">CVE-2022-1148</a>.</p>
<p>Thanks <a href="https://hackerone.com/ehhthing">ehhthing</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="gitlab-pages-uses-default-disabled-server-timeouts-and-a-weak-tcp-keep-alive-timeout">GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout</h2>
<p>A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1121">CVE-2022-1121</a>.</p>
<p>Thanks <a href="https://gitlab.com/feistel">feistel</a> for reporting this vulnerability.</p>
<h2 id="incorrect-include-in-pipeline-definition-exposes-masked-ci-variables-in-ui">Incorrect include in pipeline definition exposes masked CI variables in UI</h2>
<p>Missing filtering in an error message in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 exposed sensitive information when an include directive fails in the CI/CD configuration. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1120">CVE-2022-1120</a>.</p>
<p>Thanks <a href="https://hackerone.com/bdrich">bdrich</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="regular-expression-denial-of-service-in-release-asset-link">Regular expression denial of service in release asset link</h2>
<p>A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1100">CVE-2022-1100</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="latest-commit-details-from-private-projects-leaked-to-guest-users-via-merge-requests">Latest Commit details from private projects leaked to guest users via Merge Requests</h2>
<p>Improper access control in GitLab CE/EE since version 10.7 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1193">CVE-2022-1193</a>.</p>
<p>Thanks <a href="https://hackerone.com/albatraoz">albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="cicd-analytics-are-available-even-when-public-pipelines-are-disabled">CI/CD analytics are available even when public pipelines are disabled</h2>
<p>An improper access control vulnerability in GitLab CE/EE affecting all versions from 13.11 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an unauthorized user to access pipeline analytics even when public pipelines are disabled. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1105">CVE-2022-1105</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="absence-of-limit-for-the-number-of-tags-that-can-be-added-to-a-runner-can-cause-performance-issues">Absence of limit for the number of tags that can be added to a runner can cause performance issues</h2>
<p>Adding a very large number of tags to a runner in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to impact the performance of GitLab. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1099">CVE-2022-1099</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="client-dos-through-rendering-crafted-comments">Client DoS through rendering crafted comments</h2>
<p>A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1174">CVE-2022-1174</a>.</p>
<p>Thanks <a href="https://hackerone.com/scaramouche31">scaramouche31</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="blind-ssrf-through-repository-mirroring">Blind SSRF Through Repository Mirroring</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the repository mirroring feature was possible. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1188">CVE-2022-1188</a>.</p>
<p>Thanks <a href="https://hackerone.com/jimeno">jimeno</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bypass-of-branch-restriction-in-asana-integration">Bypass of branch restriction in Asana integration</h2>
<p>Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0740">CVE-2022-0740</a>.</p>
<p>Thanks <a href="https://hackerone.com/ooooooo_q">ooooooo_q</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="readable-approval-rules-by-guest-user">Readable approval rules by Guest user</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.2 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 that allowed for an unauthorised user to read the approval rules of a private project. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1189">CVE-2022-1189</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="redact-invalidurierror-error-messages">Redact InvalidURIError error messages</h2>
<p>Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1157">CVE-2022-1157</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="project-import-maps-members-created_by_id-users-based-on-source-user-id">Project import maps members' created_by_id users based on source user ID</h2>
<p>A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N</code>, 2.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1111">CVE-2022-1111</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="update-commonmarker">Update commonmarker</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/355752 //-->
<p>The version of commonmarker has been updated to <code>0.23.4</code> in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE</p>
<h2 id="update-grafana">Update Grafana</h2>
<!-- https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6729 //-->
<p>The version of Grafana has been updated to <code>7.5.15</code> in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<!-- https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6714 //-->
<p>The version of Mattermost has been updated to <code>6.4.2</code>, <code>6.3.5</code>, and <code>6.2.5</code> in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h2 id="update-swagger">Update Swagger</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/339696 //-->
<p>The version of Swagger has been updated to <code>4.0.0</code> in order to mitigate security concerns.</p>
<h3 id="versions-affected-3">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE</p>
<h2 id="update-python">Update Python</h2>
<!-- https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3111 //-->
<p>The version of Python has been updated to <code>3.8.12</code> in order to mitigate security concerns.</p>
<h3 id="versions-affected-4">Versions affected</h3>
<p>Affects all versions of <a href="https://gitlab.com/gitlab-org/charts/gitlab">GitLab Charts</a>.</p>
<h2 id="update-go-proxyproto">Update go-proxyproto</h2>
<!-- https://gitlab.com/gitlab-org/gitlab-pages/-/issues/699 //-->
<p>The version of go-proxyproto has been updated to <code>0.6.2</code> in order to mitigate security concerns.</p>
<h3 id="versions-affected-5">Versions affected</h3>
<p>Affects all versions of GitLab Pages</p>
<h2 id="update-devise">Update Devise</h2>
<!-- https://gitlab.com/gitlab-org/gitlab/-/issues/357102 //-->
<p>The version of devise-two-factor has been updated to <code>4.0.2</code> in order to mitigate security concerns.</p>
<h3 id="versions-affected-6">Versions affected</h3>
<p>Affects all versions of Gitlab CE/EE</p>
<h2 id="non-security-updates">Non-security updates</h2>
<p>14.7.7 and 14.8.5 include a non-security bug fix addressing Merge Request Approval Rules. The bug is not present in 14.9 releases.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="script-to-identify-users-potentially-impacted-by-cve-2022-1162">Script to identify users potentially impacted by CVE-2022-1162</h2>
<!-- Source: https://gitlab.com/gitlab-com/gl-infra/production/-/snippets/2282996 //-->
<p>GitLab has prepared a script which can be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162.</p>
<div class="highlight"><pre class="highlight ruby"><code><span class="c1"># This script identifies users who may have been impacted by </span>
<span class="c1"># CVE-2022-1162.</span>
<span class="c1"># The list is not exhaustive and may not include attackers who have </span>
<span class="c1"># gained access and modified an account.</span>
<span class="c1">#</span>
<span class="c1"># The START_DATE can be changed to the date a vulnerable version was</span>
<span class="c1"># installed.</span>
<span class="c1">#</span>
<span class="c1"># The result is a CSV printed to STDOUT containing potentially affected</span>
<span class="c1"># users. The columns are:</span>
<span class="c1"># - User ID (integer)</span>
<span class="c1"># - Username (string)</span>
<span class="c1"># - User's email (string)</span>
<span class="c1"># - Whether the user still has an automatically set password (boolean)</span>
<span class="c1">#</span>
<span class="c1"># We strongly recommend that all GitLab installations be upgraded to</span>
<span class="c1"># 14.9.2, 14.8.5, or 14.7.7 immediately.</span>
<span class="c1"># See: https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/</span>
<span class="c1">#</span>
<span class="c1"># To run the script, place this script into a file ie. /tmp/find-impacted-users.rb </span>
<span class="c1"># on your GitLab instance and then run the following command to execute the script:</span>
<span class="c1">#</span>
<span class="c1"># gitlab-rails runner /tmp/find-impacted-users.rb</span>
<span class="c1">#</span>
<span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Base</span><span class="p">.</span><span class="nf">connection</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="s1">'set statement_timeout to 600000'</span><span class="p">)</span>
<span class="no">START_DATE</span> <span class="o">=</span> <span class="no">Time</span><span class="p">.</span><span class="nf">utc</span><span class="p">(</span><span class="mi">2022</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">20</span><span class="p">)</span>
<span class="n">user_id</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">csv</span> <span class="o">=</span> <span class="no">CSV</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="no">STDOUT</span><span class="p">)</span>
<span class="k">begin</span>
<span class="n">users</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span>
<span class="nf">joins</span><span class="p">(</span><span class="ss">:identities</span><span class="p">).</span>
<span class="nf">where</span><span class="p">(</span><span class="s1">'users.created_at >= ?'</span><span class="p">,</span> <span class="no">START_DATE</span><span class="p">).</span>
<span class="nf">where</span><span class="p">(</span><span class="s1">'identities.created_at >= ?'</span><span class="p">,</span> <span class="no">START_DATE</span><span class="p">).</span>
<span class="nf">where</span><span class="p">(</span><span class="s1">'users.id > ?'</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)</span>
<span class="n">users</span><span class="p">.</span><span class="nf">in_batches</span><span class="p">(</span><span class="ss">of: </span><span class="mi">250</span><span class="p">).</span><span class="nf">each_record</span> <span class="k">do</span> <span class="o">|</span><span class="n">user</span><span class="o">|</span>
<span class="n">csv</span> <span class="o"><<</span> <span class="p">[</span><span class="n">user</span><span class="p">.</span><span class="nf">id</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="nf">username</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="nf">email</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="nf">password_automatically_set?</span><span class="p">]</span>
<span class="n">user_id</span> <span class="o">=</span> <span class="n">user</span><span class="p">.</span><span class="nf">id</span>
<span class="k">end</span>
<span class="k">rescue</span>
<span class="k">retry</span>
<span class="k">end</span>
</code></pre></div>
<p>A <code>false</code> value in the <code>user.password_automatically_set?</code> column means that the user had overwritten the random password that was originally set when creating the user via an Omniauth method (e.g. OAuth, LDAP, or SAML). Double-check these accounts to ensure that this change was intentional and not the result of exploitation.</p>
<p>Out of an abundance of caution it is recommended to reset the passwords for all users returned by the script. Users where <code>password_automatically_set?</code> is <code>true</code> will not notice that the password reset happened and can continue logging in using OAuth, LDAP, or SAML. Those where the value is <code>false</code> can also keep logging in using those authentication methods, however the password they had set themselves will not work anymore.</p>
<p>Users created before the installation of GitLab 14.7.0 or after the update to GitLab 14.9.2, 14.8.5, or 14.7.7 are not affected and no actions are required.</p>
<p>GitLab has conducted limited testing to validate this script. As such
this script is provided AS-IS and GitLab makes no warranties of any
kind. GITLAB HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND
NON-INFRINGEMENT.</p>
<p>After identifying potentially affected user accounts, it is recommended to <a href="https://docs.gitlab.com/ee/security/reset_user_password.html#reset-a-users-password">reset a user's password</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 14.8.2, 14.7.4, and 14.6.5https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/2022-02-25T00:00:00+00:002022-02-25T00:00:00+00:00Costel Maxim<p><strong>Updated 00:00 UTC 2022-04-11</strong>
We have clarified the <a href="#hotpatch-for-runner-registration-token-disclosure-through-quick-actions">hotpatch instructions for self-managed instances running select versions older than 14.6</a> related to the use of <code>token-prefix-patch</code></p>
<p><strong>Updated 16:40 UTC 2022-03-04</strong>
If you are using Kubernetes runners, you will be required to manually update the Helm chart values with the new registration token. More information about updating the values can be found here: <a href="https://docs.gitlab.com/runner/install/kubernetes.html#store-registration-tokens-or-runner-tokens-in-secrets">https://docs.gitlab.com/runner/install/kubernetes.html#store-registration-tokens-or-runner-tokens-in-secrets</a></p>
<p><strong>Updated 00:00 UTC 2022-02-26</strong>
We have updated this blog post with <a href="#hotpatch-for-runner-registration-token-disclosure-through-quick-actions">hotpatch instructions for self-managed instances running select versions older than 14.6</a></p>
<h3 id="we-strongly-recommend-that-all-gitlab-installations-be-upgraded-to-one-of-these-versions-immediately">We strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</h3>
<p><strong>Note regarding Runner registration token disclosure:</strong> This update will reset runner registration tokens for your group and projects. If you use an automated process (scripts that encode the value of the registration token) to register runners, this update will break that process. However, it should have no affect on previously registered runners. If applicable to your processes, your administrator may choose to save a backup of your existing tokens which can later help identify potentially malicious registration tokens, or rogue runners. For example, if an unauthorized actor tries to register a runner using one of the revoked tokens, knowing that value will help admins monitor that type of activity.</p>
<p>Today we are releasing versions 14.8.2, 14.7.4, and 14.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). <em>Please note, this critical release will also serve as our monthly security release for February.</em></p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#runner-registration-token-disclosure-through-quick-actions">Runner registration token disclosure through Quick Actions</a></td>
<td>critical</td>
</tr>
<tr>
<td><a href="#unprivileged-users-can-add-other-users-to-groups-through-an-api-endpoint">Unprivileged users can add other users to groups through an API endpoint</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#inaccurate-display-of-snippet-contents-can-be-potentially-misleading-to-users">Inaccurate display of Snippet contents can be potentially misleading to users</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#environment-variables-can-be-leaked-via-the-sendmail-delivery-method">Environment variables can be leaked via the sendmail delivery method</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthenticated-user-enumeration-on-graphql-api">Unauthenticated user enumeration on GraphQL API</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#adding-a-mirror-with-ssh-credentials-can-leak-password">Adding a mirror with SSH credentials can leak password</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-via-user-comments">Denial of Service via user comments</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="runner-registration-token-disclosure-through-quick-actions">Runner registration token disclosure through Quick Actions</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorized user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands. This is a critical severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0735">CVE-2022-0735</a>.</p>
<p>Thanks <a href="https://hackerone.com/0xn3va">0xn3va</a> for the report on our HackerOne bug bounty program which sparked the internal investigation that uncovered this vulnerability.</p>
<h2 id="unprivileged-users-can-add-other-users-to-groups-through-an-api-endpoint">Unprivileged users can add other users to groups through an API endpoint</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not possible to do through the Web UI. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0549">CVE-2022-0549</a>.</p>
<p>This vulnerability was reported to us by a customer.</p>
<h2 id="inaccurate-display-of-snippet-contents-can-be-potentially-misleading-to-users">Inaccurate display of Snippet contents can be potentially misleading to users</h2>
<p>Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an unauthorized actor to create Snippets with misleading content, which could trick unsuspecting users into executing arbitrary commands. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0751">CVE-2022-0751</a>.</p>
<p>Thanks <a href="https://hackerone.com/st4nly0n">st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="note">Note</h3>
<p>This fix modifies our GraphQL API by adding the <code>hasUnretrievableBlobs</code> field to the <code>SnippetBlobConnection</code> type. It indicates if the snippet has unretrievable blobs. Please be aware of deploying this change if you use multi-version deployments. We encourage users to include this patch in all deployed server instances.</p>
<h2 id="environment-variables-can-be-leaked-via-the-sendmail-delivery-method">Environment variables can be leaked via the sendmail delivery method</h2>
<p>Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an unauthorized actor to steal environment variables via specially crafted email addresses. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N</code>, 5.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0741">CVE-2022-0741</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthenticated-user-enumeration-on-graphql-api">Unauthenticated user enumeration on GraphQL API</h2>
<p>An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration by unauthenticated users through the GraphQL API. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4191">CVE-2021-4191</a>.</p>
<p>Thanks <a href="https://hackerone.com/mungsul">mungsul</a> and <a href="https://hackerone.com/todb-r7">todb-r7</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="adding-a-mirror-with-ssh-credentials-can-leak-password">Adding a mirror with SSH credentials can leak password</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, and all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N</code>, 4.2). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0738">CVE-2022-0738</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="denial-of-service-via-user-comments">Denial of Service via user comments</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15. It was possible to trigger a DOS by using the math feature with a specific formula in issue comments. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0489">CVE-2022-0489</a>.</p>
<p>Thanks <a href="https://hackerone.com/cancerz">cancerz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-grafana">Update Grafana</h2>
<p>The version of Grafana has been updated to 7.5.12 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>The version of Mattermost has been updated to 6.3.3 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects GitLab Omnibus prior to 14.8.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="hotpatch-for-runner-registration-token-disclosure-through-quick-actions">Hotpatch for Runner registration token disclosure through Quick Actions</h2>
<p>For self-managed instances not on versions 14.6 or greater, GitLab has <a href="https://gitlab.com/gitlab-org/omnibus-gitlab/-/tree/14.8.2-Security-Hotpatches/config/patches/gitlab-rails">published patches</a> which can be applied to
mitigate the <a href="#runner-registration-token-disclosure-through-quick-actions">Runner registration token disclosure through Quick Actions</a> vulnerability. These patches should be considered temporary. Any instances of GitLab should be upgraded to a patched version of 14.8.2, 14.7.4, or 14.6.5 as soon as possible.</p>
<p>Patches named <code>security-patch-$VERSION.patch</code> close the vulnerability which exposed runner registration tokens via quick action commands, and
patches named <code>token-prefix-patch-$VERSION.patch</code> can be applied to automate a one-time rotation of all project & group registration tokens.</p>
<p>Version-specific patches are available for GitLab releases 14.5.4, 14.4.5, 14.3.6, 14.2.7, 14.1.8, 14.0.12 and 13.12.15.</p>
<p>To apply the desired patch(es) on a GitLab omnibus instance, first retrieve the appropriate patchfile(s) based on the version of your instance,
and then follow the below commands (example here uses patches for 14.0.12):</p>
<div class="highlight"><pre class="highlight shell"><code><span class="nb">sudo </span>su
<span class="nb">cd</span> ~
curl <span class="nt">-JLO</span> https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/14.8.2-Security-Hotpatches/config/patches/gitlab-rails/security-patch-14.0.patch
curl <span class="nt">-JLO</span> https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/14.8.2-Security-Hotpatches/config/patches/gitlab-rails/token-prefix-patch-14.0.patch
<span class="nb">cd</span> /opt/gitlab/embedded/service/gitlab-rails/
patch <span class="nt">-p1</span> < ~/security-patch-14.0.patch
patch <span class="nt">-p1</span> < ~/token-prefix-patch-14.0.patch
gitlab-ctl restart
</code></pre></div>
<p>After applying the <code>token-prefix-patch</code>, instances with a small number of groups and projects (under 10,000) can optionally use the following rails console commands to immediately reset all project & group runner registration tokens:</p>
<div class="highlight"><pre class="highlight ruby"><code><span class="no">Project</span><span class="p">.</span><span class="nf">in_batches</span><span class="p">(</span><span class="ss">of: </span><span class="mi">100</span><span class="p">).</span><span class="nf">update_all</span><span class="p">(</span><span class="ss">runners_token_encrypted: </span><span class="kp">nil</span><span class="p">)</span>
<span class="no">Group</span><span class="p">.</span><span class="nf">in_batches</span><span class="p">(</span><span class="ss">of: </span><span class="mi">100</span><span class="p">).</span><span class="nf">update_all</span><span class="p">(</span><span class="ss">runners_token_encrypted: </span><span class="kp">nil</span><span class="p">)</span>
</code></pre></div>
<p>GitLab has conducted limited testing to validate these patches. As such these patches are provided AS-IS and GitLab makes no warranties of any kind. GITLAB HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.7.1, 14.6.4, and 14.5.4https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/2022-02-03T00:00:00+00:002022-02-03T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 14.7.1, 14.6.4, and 14.5.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#arbitrary-post-requests-via-special-html-attributes-in-jupyter-notebooks">Arbitrary POST requests via special HTML attributes in Jupyter Notebooks</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#dns-rebinding-vulnerability-in-irker-irc-gateway-integration">DNS Rebinding vulnerability in Irker IRC Gateway integration</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#missing-certificate-validation-for-external-ci-services">Missing certificate validation for external CI services</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#blind-ssrf-through-project-import">Blind SSRF Through Project Import</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#open-redirect-vulnerability-in-jira-integration">Open redirect vulnerability in Jira Integration</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#issue-link-was-disclosing-the-linked-issue">Issue link was disclosing the linked issue</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#service-desk-email-accessible-by-project-non-members">Service Desk email accessible by project non-members</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#authenticated-users-can-search-other-users-by-their-private-email">Authenticated users can search other users by their private email</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#external-status-checks-can-be-accepted-by-users-below-developer-access-if-the-user-is-either-author-or-assignee-of-the-target-merge-request">"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#deleting-packages-in-bulk-from-package-registries-may-cause-table-locks">Deleting packages in bulk from package registries may cause table locks</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#autocomplete-enabled-on-specific-pages">Autocomplete enabled on specific pages</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#possible-ssrf-due-to-not-blocking-shared-address-space">Possible SSRF due to not blocking shared address space</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#system-notes-reveals-private-project-path-when-issue-is-moved-to-a-public-project">System notes reveals private project path when Issue is moved to a public project</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#timeout-for-pages-using-markdown">Timeout for pages using Markdown</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#certain-branch-names-could-not-be-protected">Certain branch names could not be protected</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="arbitrary-post-requests-via-special-html-attributes-in-jupyter-notebooks">Arbitrary POST requests via special HTML attributes in Jupyter Notebooks</h2>
<p>Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0427">CVE-2022-0427</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="dns-rebinding-vulnerability-in-irker-irc-gateway-integration">DNS Rebinding vulnerability in Irker IRC Gateway integration</h2>
<p>A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0425">CVE-2022-0425</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="missing-certificate-validation-for-external-ci-services">Missing certificate validation for external CI services</h2>
<p>An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0123">CVE-2022-0123</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="blind-ssrf-through-project-import">Blind SSRF Through Project Import</h2>
<p>A vulnerability was discovered in GitLab starting with version 10.5. GitLab was vulnerable to a blind SSRF attack through the Project Import feature. . This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0136">CVE-2022-0136</a>.</p>
<p>Thanks <a href="https://hackerone.com/no1zy">no1zy</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="open-redirect-vulnerability-in-jira-integration">Open redirect vulnerability in Jira Integration</h2>
<p>An issue has been discovered affecting GitLab versions prior to 13.5. An open redirect vulnerability was fixed in GitLab integration with Jira that a could cause the web application to redirect the request to the attacker specified URL. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N</code>, 4.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0283">CVE-2022-0283</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="issue-link-was-disclosing-the-linked-issue">Issue link was disclosing the linked issue</h2>
<p>Improper access control allowed for project non-members to retrieve issue details when it was linked to an item form the vulnerability dashboard in GitLab CE/EE. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0390">CVE-2022-0390</a>.</p>
<p>Thanks <a href="https://hackerone.com/wi11">wi11</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="service-desk-email-accessible-by-project-non-members">Service Desk email accessible by project non-members</h2>
<p>Improper access control allows project non-members to retrieve the Service Desk email address in GitLab CE/EE. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0373">CVE-2022-0373</a>.</p>
<p>Thanks <a href="https://hackerone.com/albatraoz">albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="authenticated-users-can-search-other-users-by-their-private-email">Authenticated users can search other users by their private email</h2>
<p>GitLab search may allow authenticated users to search other users by their respective private emails even if a user set their email to private. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0371">CVE-2022-0371</a>.</p>
<p>Customers may continue to search GitLab through the following methods:</p>
<ul>
<li>Search via public email</li>
<li>Search via username</li>
<li>Query Users API for user id</li>
<li>Use our new <a href="https://docs.gitlab.com/ee/api/groups.html#list-provisioned-users">Provisioned Users endpoint</a> (if you use Group SAML or SCIM)</li>
<li>Use an Admin token to search for the users via the API (if you are on a GitLab self-managed instance)</li>
</ul>
<p>This vulnerability was found internally by a member of the GitLab team.</p>
<h2 id="external-status-checks-can-be-accepted-by-users-below-developer-access-if-the-user-is-either-author-or-assignee-of-the-target-merge-request">"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request</h2>
<p>An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39943">CVE-2021-39943</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="deleting-packages-in-bulk-from-package-registries-may-cause-table-locks">Deleting packages in bulk from package registries may cause table locks</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab was not correctly handling bulk requests to delete existing packages from the package registries which could result in a Denial of Service under specific conditions. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H</code>, 4.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0477">AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H</a>.</p>
<p>This vulnerability was found internally by a member of the GitLab team.</p>
<h2 id="autocomplete-enabled-on-specific-pages">Autocomplete enabled on specific pages</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not disabling the <code>Autocomplete</code> attribute of fields related to sensitive information making it possible to be retrieved under certain conditions. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0167">CVE-2022-0167</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="possible-ssrf-due-to-not-blocking-shared-address-space">Possible SSRF due to not blocking shared address space</h2>
<p>A vulnerability was discovered in GitLab starting with version 12. GitLab was vulnerable to a blind SSRF attack since requests to shared address space were not blocked. . This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0249">CVE-2022-0249</a>.</p>
<p>Thanks <a href="https://hackerone.com/no1zy">no1zy</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="system-notes-reveals-private-project-path-when-issue-is-moved-to-a-public-project">System notes reveals private project path when Issue is moved to a public project</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1. Private project paths can be disclosed to unauthorized users via system notes when an Issue is closed via a Merge Request and later moved to a public project. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0344">CVE-2022-0344</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="timeout-for-pages-using-markdown">Timeout for pages using Markdown</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting with version 8.10. It was possible to trigger a timeout on a page with markdown by using a specific amount of block-quotes. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0488">CVE-2022-0488</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="certain-branch-names-could-not-be-protected">Certain branch names could not be protected</h2>
<p>In some cases, branch names containing HTML tags were not properly being protected. This is a follow-up to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39931">CVE-2021-39931</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>The version of Mattermost has been updated to 6.1.1 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects GitLab Omnibus prior to 14.7</p>
<h2 id="update-go">Update Go</h2>
<p>The version of Go used in the GitLab Omnibus <code>.gitlab-ci.yml</code> file has been updated to 2.9.1 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects GitLab Omnibus prior to 14.7</p>
<h2 id="update-rouge">Update Rouge</h2>
<p>The version of Rouge has been updated to 3.27.0 in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE</p>
<h2 id="update-mermaid">Update Mermaid</h2>
<p>The version of Mermaid has been updated to 8.13.10 in order to mitigate security concerns.</p>
<h3 id="versions-affected-3">Versions affected</h3>
<p>Affects all versions of GitLab CE/EE</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.6.2, 14.5.3, and 14.4.5https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/2022-01-11T00:00:00+00:002022-01-11T00:00:00+00:00Vitor Meireles De Sousa<p>Today we are releasing versions 14.6.2, 14.5.3, and 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#arbitrary-file-read-via-group-import-feature">Arbitrary file read via group import feature</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#stored-xss-in-notes">Stored XSS in notes</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#lack-of-state-parameter-on-github-import-project-oauth">Lack of state parameter on GitHub import project OAuth</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#vulnerability-related-fields-are-available-to-unauthorized-users-on-graphql-api">Vulnerability related fields are available to unauthorized users on GraphQL API</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#deleting-packages-may-cause-table-locks">Deleting packages may cause table locks</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#ip-restriction-bypass-via-graphql">IP restriction bypass via GraphQL</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#repository-content-spoofing-using-git-replacement-references">Repository content spoofing using Git replacement references</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#users-can-import-members-from-projects-that-they-are-not-a-maintainer-on-through-api">Users can import members from projects that they are not a maintainer on through API</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#possibility-to-direct-user-to-malicious-site-through-slack-integration">Possibility to direct user to malicious site through Slack integration</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#bypassing-file-size-limits-to-the-npm-package-repository">Bypassing file size limits to the NPM package repository</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#user-with-expired-password-can-still-access-sensitive-informations">User with expired password can still access sensitive information</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#incorrect-port-validation-allows-access-to-services-on-ports-80-and-443-if-gitlab-is-configured-to-run-on-another-port">Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="arbitrary-file-read-via-group-import-feature">Arbitrary file read via group import feature</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group due to incorrect file handling. This is a critical severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N</code>, 8.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0244">CVE-2022-0244</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="stored-xss-in-notes">Stored XSS in notes</h2>
<p>Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39946">CVE-2021-39946</a>.</p>
<p>Thanks <a href="https://hackerone.com/jarij">jarij</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="lack-of-state-parameter-on-github-import-project-oauth">Lack of state parameter on GitHub import project OAuth</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0154">CVE-2022-0154</a>.</p>
<p>Thanks <a href="https://hackerone.com/aryan2808">aryan2808</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="vulnerability-related-fields-are-available-to-unauthorized-users-on-graphql-api">Vulnerability related fields are available to unauthorized users on GraphQL API</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0152">CVE-2022-0152</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="deleting-packages-may-cause-table-locks">Deleting packages may cause table locks</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was not correctly handling requests to delete existing packages which could result in a Denial of Service under specific conditions. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0151">CVE-2022-0151</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="ip-restriction-bypass-via-graphql">IP restriction bypass via GraphQL</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge
requests and milestones. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0172">CVE-2022-0172</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="repository-content-spoofing-using-git-replacement-references">Repository content spoofing using Git replacement references</h2>
<p>An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with <code>git</code> sub-commands, allowing a malicious user to spoof the contents of their commits in the UI. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0090">CVE-2022-0090</a>.</p>
<p>Thanks <a href="https://hackerone.com/star-labs">star-labs</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="users-can-import-members-from-projects-that-they-are-not-a-maintainer-on-through-api">Users can import members from projects that they are not a maintainer on through API</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0125">CVE-2022-0125</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="possibility-to-direct-user-to-malicious-site-through-slack-integration">Possibility to direct user to malicious site through Slack integration</h2>
<p>An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows crafting of malicious URLs that are sent to slack. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0124">CVE-2022-0124</a>.</p>
<p>Thanks <a href="https://hackerone.com/rafaltrojniak">rafaltrojniak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bypassing-file-size-limits-to-the-npm-package-repository">Bypassing file size limits to the NPM package repository</h2>
<p>A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39942">CVE-2021-39942</a>.</p>
<p>Thanks <a href="https://hackerone.com/0xn3va">0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="user-with-expired-password-can-still-access-sensitive-information">User with expired password can still access sensitive information</h2>
<p>An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0093">CVE-2022-0093</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="incorrect-port-validation-allows-access-to-services-on-ports-80-and-443-if-gitlab-is-configured-to-run-on-another-port">Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port</h2>
<p>Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.x, between 14.5.0 and 14.5.x, and between 14.6.0 and 14.6.x would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39927">CVE-2021-39927</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="update-prometheus">Update Prometheus</h2>
<p>The version of Prometheus included in GitLab Omnibus has been updated to 2.25.2 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Runner Critical Security Release: 14.5.2, 14.4.2, and 14.3.4https://about.gitlab.com/releases/2021/12/10/security-release-gitlab-runner-14-5-2-released/2021-12-10T00:00:00+00:002021-12-10T00:00:00+00:00Vitor Meireles De Sousa<p>Today we are releasing versions 14.5.2, 14.4.2, and 14.3.4 for GitLab Runner.</p>
<p>These versions contain important security fixes and we strongly recommend that all GitLab Runner installations for both GitLab.com and self-managed instances be upgraded to one of them immediately. This critical security release is for two security vulnerabilities that have been assigned a CVSS with medium severity, but that have a critical impact on GitLab.com users.</p>
<p>GitLab.com Shared Runners are already running the patched version.</p>
<p>We estimate that the number of self-managed GitLab Runner installations vulnerable to these exploits to be small due to a very specific combination of settings required to take advantage of this vulnerability. Even so, again: we strongly recommend that all GitLab Runner installations be upgraded to one of these versions immediately.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#Specially-crafted-docker-images-can-exhaust-resources-on-managers">Specially crafted docker images can exhaust resources on managers</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#Golang-vulnerability-CVE-2021-44717-dont-close-fd-0-on-ForkExec-error">Golang vulnerability CVE-2021-44717: don’t close fd 0 on ForkExec error</a></td>
<td>medium</td>
</tr>
</tbody>
</table>
<h2 id="specially-crafted-docker-images-can-exhaust-resources-on-managers">Specially crafted docker images can exhaust resources on managers</h2>
<p>An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.4, all versions starting from 14.4 before 14.4.2, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on a runner manager. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39939">CVE-2021-39939</a>.</p>
<p>This vulnerability was discovered internally by the GitLab team.</p>
<h3 id="temporary-workaround">Temporary workaround</h3>
<p>A temporary workaround, in cases when GitLab Runner can't be updated immediately, would be to disable the <code>FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR</code> feature flag in Runner's <code>config.toml</code> configuration file. This will turn off the vulnerable feature and make it impossible for users to turn it on from the job level.</p>
<ol>
<li>
<p>Open the <code>config.toml</code> file of the Runner that you want to update.</p>
</li>
<li>
<p>In each <code>[[runners]]</code> section add:</p>
<div class="highlight"><pre class="highlight toml"><code> <span class="nn">[runners.feature_flags]</span>
<span class="py">FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR</span> <span class="p">=</span> <span class="kc">false</span>
</code></pre></div> </li>
<li>
<p>Save the file and exit.</p>
</li>
</ol>
<p>After that, the runner's process should detect the change and start applying the configuration within a minute. For this configuration change, restarting the GitLab Runner process is not required.</p>
<h2 id="golang-vulnerability-cve-2021-44717-dont-close-fd-0-on-forkexec-error">Golang vulnerability CVE-2021-44717: don’t close fd 0 on ForkExec error</h2>
<p>All previous versions of GitLab Runner were susceptible to <a href="https://groups.google.com/g/golang-announce/c/hcmEScgc00k?pli=1">Golang security issue CVE-2021-44717: don’t close fd 0 on ForkExec error</a>, which could result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39947">CVE-2021-39947</a>.</p>
<p>This vulnerability was discovered internally by the GitLab team.</p>
<h3 id="temporary-workaround-1">Temporary workaround</h3>
<p>A temporary workaround, in cases when GitLab Runner can't be updated immediately, would be to increase the file descriptor limit set for the runner process. However, this is dependent on how it's specifically configured and deployed.</p>
<p>Please keep in mind that updating the file descriptors limit requires restarting the runner process. To do that without interrupting any running jobs one should send a <code>SIGQUIT</code> signal to the runner process. This will initiate a graceful shutdown, during which the runner will not accept any new jobs but will finish all the jobs that were already started before exiting.</p>
<p>The ability to determine the best value for the file descriptors limit will vary depending on the load that the runners are handling and their specific configuration. Setting the limit at 50 for each potential job that can run concurrently on the runner manager is a good starting point. However, to find the best value we highly recommend monitoring the runner process and the number of file descriptors that it uses and adjust as needed depending on the specific needs.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, <a href="https://docs.gitlab.com/runner/install/">find your installation method and steps for updating here</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.5.2, 14.4.4, and 14.3.6https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/2021-12-06T00:00:00+00:002021-12-06T00:00:00+00:00Rohit Shambhuni<p>Today we are releasing versions 14.5.2, 14.4.4, and 14.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#group-members-with-developer-role-can-escalate-their-privilege-to-maintainer-on-projects-that-they-import">Group members with developer role can escalate their privilege to maintainer on projects that they import</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#when-user-registration-is-limited-external-users-that-arent-developers-shouldnt-have-access-to-the-ci-lint-api">When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#collision-in-access-memoization-leads-to-potential-elevated-privileges-on-groups-and-projects">Collision in access memoization leads to potential elevated privileges on groups and projects</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#project-access-token-names-are-returned-for-unauthenticated-requesters">Project access token names are returned for unauthenticated requesters</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#sensitive-info-disclosure-in-logs">Sensitive info disclosure in logs</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#disclosure-of-a-users-custom-project-and-group-templates">Disclosure of a user's custom project and group templates</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#redos-in-maven-package-version">ReDoS in Maven package version</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#potential-denial-of-service-via-the-diff-feature">Potential denial of service via the Diff feature</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#regular-expression-denial-of-service-via-user-comments">Regular Expression Denial of Service via user comments</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#service-desk-email-accessible-by-any-project-member">Service Desk email accessible by any project member</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#regular-expression-denial-of-service-via-quick-actions">Regular Expression Denial of Service via quick actions</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#idor-in-external-status-check-api-leaks-data-about-any-status-check-on-the-instance">IDOR in "external status check" API leaks data about any status check on the instance</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#default-branch-name-visible-in-public-projects-restricting-access-to-the-source-code-repository">Default branch name visible in public projects restricting access to the source code repository</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#deploy-token-allows-access-to-disabled-project-wiki">Deploy token allows access to disabled project Wiki</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#regular-expression-denial-of-service-via-deploy-slash-commands">Regular Expression Denial of Service via deploy Slash commands</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#users-can-reply-to-vulnerability-report-discussions-despite-only-project-members-settings">Users can reply to Vulnerability Report discussions despite Only Project Members settings</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#unauthorised-deletion-of-protected-branches">Unauthorised deletion of protected branches</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#author-can-approve-merge-request-after-having-access-revoked">Author can approve Merge Request after having access revoked</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#html-injection-via-swagger-ui">HTML Injection via Swagger UI</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="group-members-with-developer-role-can-escalate-their-privilege-to-maintainer-on-projects-that-they-import">Group members with developer role can escalate their privilege to maintainer on projects that they import</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N</code>, 7.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39944">CVE-2021-39944</a>.</p>
<p>Thanks @justas_b for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="when-user-registration-is-limited-external-users-that-arent-developers-shouldnt-have-access-to-the-ci-lint-api">When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39935">CVE-2021-39935</a>.</p>
<p>Thanks <a href="https://hackerone.com/minhli?type=user">@minhli</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="collision-in-access-memoization-leads-to-potential-elevated-privileges-on-groups-and-projects">Collision in access memoization leads to potential elevated privileges on groups and projects</h2>
<p>A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39937">CVE-2021-39937</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="project-access-token-names-are-returned-for-unauthenticated-requesters">Project access token names are returned for unauthenticated requesters</h2>
<p>Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39915">CVE-2021-39915</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar?type=user">@joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="sensitive-info-disclosure-in-logs">Sensitive info disclosure in logs</h2>
<p>In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. This is a medium severity issue (<code>CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39919">CVE-2021-39919</a>.</p>
<p>This vulnerability was discovered internally by a member of the GitLab team.</p>
<h2 id="disclosure-of-a-users-custom-project-and-group-templates">Disclosure of a user's custom project and group templates</h2>
<p>Missing authorization in GitLab EE versions starting from 12.4 before 14.3.6, starting from 14.4.0 before 14.4.4, and starting from 14.5.0 before 14.5.2 allowed an attacker to access a user's custom project and group templates. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39930">CVE-2021-39930</a>.</p>
<p>Thanks <a href="https://hackerone.com/ngalog?type=user">@ngalog</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="redos-in-maven-package-version">ReDoS in Maven package version</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39940">CVE-2021-39940</a>.</p>
<p>Thanks <a href="https://hackerone.com/anyday?type=user">@anyday</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="potential-denial-of-service-via-the-diff-feature">Potential denial of service via the Diff feature</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39932">CVE-2021-39932</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="regular-expression-denial-of-service-via-user-comments">Regular Expression Denial of Service via user comments</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39933">CVE-2021-39933</a>.</p>
<p>Thanks <a href="https://hackerone.com/hashkitten?type=user">@hashkitten</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="service-desk-email-accessible-by-any-project-member">Service Desk email accessible by any project member</h2>
<p>Improper access control allows any project member to retrieve the Service Desk email address in GitLab CE/EE versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39934">CVE-2021-39934</a>.</p>
<p>Thanks <a href="https://hackerone.com/gratitude101?type=user">@gratitude101</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="regular-expression-denial-of-service-via-quick-actions">Regular Expression Denial of Service via quick actions</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a DOS attack. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39917">CVE-2021-39917</a>.</p>
<p>Thanks <a href="https://hackerone.com/hashkitten?type=user">@hashkitten</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="idor-in-external-status-check-api-leaks-data-about-any-status-check-on-the-instance">IDOR in "external status check" API leaks data about any status check on the instance</h2>
<p>Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39916">CVE-2021-39916</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar?type=user">@joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="default-branch-name-visible-in-public-projects-restricting-access-to-the-source-code-repository">Default branch name visible in public projects restricting access to the source code repository</h2>
<p>An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39941">CVE-2021-39941</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar?type=user">@ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="deploy-token-allows-access-to-disabled-project-wiki">Deploy token allows access to disabled project Wiki</h2>
<p>Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39936">CVE-2021-39936</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky?type=user">@vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="regular-expression-denial-of-service-via-deploy-slash-commands">Regular Expression Denial of Service via deploy Slash commands</h2>
<p>A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39938">CVE-2021-39938</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="users-can-reply-to-vulnerability-report-discussions-despite-only-project-members-settings">Users can reply to Vulnerability Report discussions despite Only Project Members settings</h2>
<p>Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39918">CVE-2021-39918</a>.</p>
<p>Thanks <a href="https://hackerone.com/wi11?type=user">@wi11</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthorised-deletion-of-protected-branches">Unauthorised deletion of protected branches</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39931">CVE-2021-39931</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar?type=user">@joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="author-can-approve-merge-request-after-having-access-revoked">Author can approve Merge Request after having access revoked</h2>
<p>Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39945">CVE-2021-39945</a>.</p>
<p>Thanks <a href="https://hackerone.com/muthu_prakash?type=user">@muthu_prakash</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="html-injection-via-swagger-ui">HTML Injection via Swagger UI</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39910">CVE-2021-39910</a>.</p>
<p>Thanks <a href="https://hackerone.com/muthu_prakash?type=user">@kannthu</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-ruby">Update Ruby</h2>
<p>The version of Ruby included in GitLab Omnibus has been updated to 2.7.5 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="update-rails">Update Rails</h2>
<p>The version of Rails included in GitLab Omnibus has been updated to 6.1.4.1 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects versions 12.8 and later.</p>
<h2 id="update-ncurses">Update ncurses</h2>
<p>The version of ncurses included in GitLab Omnibus has been updated to 6.3 in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="update-libgcrypt">Update libgcrypt</h2>
<p>The version of libgcrypt included in GitLab Omnibus has been updated to 1.9.4 in order to mitigate security concerns.</p>
<h3 id="versions-affected-3">Versions affected</h3>
<p>Affects versions 10.3 and later.</p>
<h2 id="update-mattermost">Update mattermost</h2>
<p>The version of mattermost included in GitLab Omnibus versions 14.4.4 and 14.5.2 has been updated to 5.39.2 in order to mitigate security concerns. The version of mattermost included in GitLab Omnibus versions 14.3.6 has been updated to 5.38.4 in order to mitigate security concerns.</p>
<h3 id="versions-affected-4">Versions affected</h3>
<p>Affects versions 14.1 and later.</p>
<h2 id="update-graphql">Update graphql</h2>
<p>The version of graphql included in GitLab Omnibus has been updated to 1.11.10 in order to mitigate security concerns.</p>
<h3 id="versions-affected-5">Versions affected</h3>
<p>Affects versions 8.11 and later.</p>
<h2 id="update-mermaid">Update mermaid</h2>
<p>The version of mermaid included in GitLab Omnibus has been updated to 8.13.4 in order to mitigate security concerns.</p>
<h3 id="versions-affected-6">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.4.1, 14.3.4, and 14.2.6https://about.gitlab.com/releases/2021/10/28/security-release-gitlab-14-4-1-released/2021-10-28T00:00:00+00:002021-10-28T00:00:00+00:00Nikhil George<p>Today we are releasing versions 14.4.1, 14.3.4, and 14.2.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-via-ipynb-files">Stored XSS via ipynb files</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#unicode-characters-can-be-abused-to-commit-malicious-code-into-projects-without-notice">Unicode characters can be abused to commit malicious code into projects without notice</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#pipeline-schedules-on-imported-projects-can-be-set-to-automatically-active-after-import">Pipeline schedules on imported projects can be set to automatically active after import</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#potential-denial-of-service-via-workhorse">Potential Denial of service via Workhorse</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-access-control-allows-merge-request-creator-to-bypass-locked-status">Improper Access Control allows Merge Request creator to bypass locked status</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#projects-api-discloses-id-and-name-of-private-groups">Projects API discloses ID and name of private groups</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#severity-of-an-incident-can-be-changed-by-a-guest-user">Severity of an incident can be changed by a guest user</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#system-root-password-accidentally-written-to-log-file">System root password accidentally written to log file</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#potential-dos-via-a-malformed-tiff-image">Potential DoS via a malformed TIFF image</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#bypass-of-codeowners-merge-request-approval-requirement">Bypass of CODEOWNERS Merge Request approval requirement</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#change-project-visibility-to-a-restricted-option">Change project visibility to a restricted option</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#project-exports-leak-external-webhook-token-value">Project exports leak external webhook token value</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#invited-group-members-with-access-inherited-from-parent-group-continue-to-have-project-access-even-after-invited-subgroup-is-transfered">Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#scim-token-is-visible-after-creation">SCIM token is visible after creation</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#regular-expression-denial-of-service-issue-when-cleaning-namespace-path">Regular expression denial of service issue when cleaning namespace path</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#prevent-creation-of-scopeless-apps-using-applications-api">Prevent creation of scopeless apps using applications API</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#webhook-data-exposes-assignee's-private-email-address">Webhook data exposes assignee's private email address</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="stored-xss-via-ipynb-files">Stored XSS via ipynb files</h2>
<p>Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39906">CVE-2021-39906</a>.</p>
<p>Thanks @saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unicode-characters-can-be-abused-to-commit-malicious-code-into-projects-without-notice">Unicode characters can be abused to commit malicious code into projects without notice</h2>
<p>In all versions of GitLab CE/EE, certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39908">CVE-2021-39908</a>. The general attack vector was also assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574">CVE-2021-42574</a> by the original researchers and is known as a "Trojan Source Attack".</p>
<p>Thanks @nickboucher for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="pipeline-schedules-on-imported-projects-can-be-set-to-automatically-active-after-import">Pipeline schedules on imported projects can be set to automatically active after import</h2>
<p>In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L</code>, 6.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39895">CVE-2021-39895</a>.</p>
<p>Thanks @justas_b for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="potential-denial-of-service-via-workhorse">Potential Denial of service via Workhorse</h2>
<p>A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39907">CVE-2021-39907</a>.</p>
<p>Thanks @ajxchapman for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="improper-access-control-allows-merge-request-creator-to-bypass-locked-status">Improper Access Control allows Merge Request creator to bypass locked status</h2>
<p>An Improper Access Control vulnerability in the GraphQL API in GitLab CE/EE since version 13.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39904">CVE-2021-39904</a>.</p>
<p>Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="projects-api-discloses-id-and-name-of-private-groups">Projects API discloses ID and name of private groups</h2>
<p>An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39905">CVE-2021-39905</a>.</p>
<p>Thanks @rafiem for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="severity-of-an-incident-can-be-changed-by-a-guest-user">Severity of an incident can be changed by a guest user</h2>
<p>Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39902">CVE-2021-39902</a>.</p>
<p>Thanks @cradlr for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="system-root-password-accidentally-written-to-log-file">System root password accidentally written to log file</h2>
<p>Accidental logging of system root password in the migration log in all versions of GitLab CE/EE allows an attacker with local file system access to obtain system root-level privileges. This is a medium severity issue (<code>CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39913">CVE-2021-39913</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="potential-dos-via-a-malformed-tiff-image">Potential DoS via a malformed TIFF image</h2>
<p>A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39912">CVE-2021-39912</a>.</p>
<p>Thanks @haquaman for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bypass-of-codeowners-merge-request-approval-requirement">Bypass of CODEOWNERS Merge Request approval requirement</h2>
<p>Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE since version 11.3 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39909">CVE-2021-39909</a>.</p>
<p>Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="change-project-visibility-to-a-restricted-option">Change project visibility to a restricted option</h2>
<p>In all versions of GitLab CE/EE since version 13.0, a low privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39903">CVE-2021-39903</a>.</p>
<p>Thanks @s4nderdevelopment for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="project-exports-leak-external-webhook-token-value">Project exports leak external webhook token value</h2>
<p>In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39898">CVE-2021-39898</a>.</p>
<p>Thanks @xanbanx for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="invited-group-members-with-access-inherited-from-parent-group-continue-to-have-project-access-even-after-invited-subgroup-is-transfered">Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered</h2>
<p>Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39897">CVE-2021-39897</a>.</p>
<p>Thanks @joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="scim-token-is-visible-after-creation">SCIM token is visible after creation</h2>
<p>In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39901">CVE-2021-39901</a>.</p>
<p>Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="regular-expression-denial-of-service-issue-when-cleaning-namespace-path">Regular expression denial of service issue when cleaning namespace path</h2>
<p>A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0
could cause excessive usage of resources when a specially crafted username was used when provisioning a new user. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39914">CVE-2021-39914</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team</p>
<h2 id="prevent-creation-of-scopeless-apps-using-applications-api">Prevent creation of scopeless apps using applications API</h2>
<p>The application api in GitLab CE/EE version 10.5 and above allowed creation of scopeless apps. This is a low severity issue and is now mitigated in latest release.</p>
<p>This vulnerability has been discovered internally by the GitLab team</p>
<h2 id="webhook-data-exposes-assignees-private-email-address">Webhook data exposes assignee's private email address</h2>
<p>An improper access control flaw in GitLab CE/EE since version 13.9 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers. This is a low severity issue (<code>CVSS:3.0/AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 1.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39914">CVE-2021-39911</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="update-redis">Update Redis</h2>
<p>The version of Redis included in GitLab Omnibus has been updated to 6.0.16 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus</p>
<h2 id="update-openssl">Update OpenSSL</h2>
<p>The version of OpenSSL included in GitLab Omnibus has been updated to 1.1.1l in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus</p>
<h2 id="update-curl">Update Curl</h2>
<p>The version of Curl included in GitLab Omnibus has been updated to 7.79.1 in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/2021-09-30T00:00:00+00:002021-09-30T00:00:00+00:00Michael Henriksen<p>Today we are releasing versions 14.3.1, 14.2.5, and 14.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-in-merge-request-creation-page">Stored XSS in merge request creation page</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#denial-of-service-attack-in-markdown-parser">Denial-of-service attack in Markdown parser</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#stored-cross-site-scripting-vulnerability-in-the-gitlab-flavored-markdown">Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#dns-rebinding-vulnerability-in-gitea-importer">DNS Rebinding vulnerability in Gitea importer</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#exposure-of-trigger-tokens-on-project-exports">Exposure of trigger tokens on project exports</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-access-control-for-users-with-expired-password">Improper access control for users with expired password</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#access-tokens-are-not-cleared-after-impersonation">Access tokens are not cleared after impersonation</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#reflected-cross-site-scripting-in-jira-integration">Reflected Cross-Site Scripting in Jira Integration</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#dns-rebinding-vulnerability-in-fogbugz-importer">DNS Rebinding vulnerability in Fogbugz importer</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#access-tokens-persist-after-project-deletion">Access tokens persist after project deletion</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#user-enumeration-vulnerability">User enumeration vulnerability</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#potential-dos-via-api-requests">Potential DOS via API requests</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#pending-invitations-of-public-groups-and-public-projects-are-visible-to-any-user">Pending invitations of public groups and public projects are visible to any user</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#bypass-disabled-repo-by-url-project-creation">Bypass Disabled Repo by URL Project Creation</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#low-privileged-users-can-see-names-of-the-private-groups-shared-in-projects">Low privileged users can see names of the private groups shared in projects</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#api-discloses-sensitive-info-to-low-privileged-users">API discloses sensitive info to low privileged users</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#epic-listing-do-not-honour-group-memberships">Epic listing do not honour group memberships</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#insecure-direct-object-reference-vulnerability-may-lead-to-protected-branch-names-getting-disclosed">Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#low-privileged-users-can-import-users-from-projects-that-they-they-are-not-a-maintainer-on">Low privileged users can import users from projects that they they are not a maintainer on</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#potential-dos-via-dependencies-api">Potential DOS via dependencies API</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#create-a-project-with-unlimited-repository-size-through-malicious-project-import">Create a project with unlimited repository size through malicious Project Import</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#bypass-disabled-bitbucket-server-import-source-project-creation">Bypass disabled Bitbucket Server import source project creation</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#requirement-to-enforce-2fa-is-not-honored-when-using-git-commands">Requirement to enforce 2FA is not honored when using git commands</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#content-spoofing-vulnerability">Content spoofing vulnerability</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-session-management-in-impersonation-feature">Improper session management in impersonation feature</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#create-oauth-application-with-arbitrary-scopes-through-content-spoofing">Create OAuth application with arbitrary scopes through content spoofing</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#ldap-users-can-bypass-2fa-and-load-certain-pages-with-http-basic-auth">LDAP users can bypass 2FA and load certain pages with HTTP Basic Auth</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#lack-of-account-lockout-on-change-password-functionality">Lack of account lockout on change password functionality</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#epic-reference-was-not-updated-while-moved-between-groups">Epic reference was not updated while moved between groups</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#missing-authentication-allows-disabling-of-two-factor-authentication">Missing authentication allows disabling of two-factor authentication</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#information-disclosure-in-sendentry">Information disclosure in SendEntry</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="stored-xss-in-merge-request-creation-page">Stored XSS in merge request creation page</h2>
<p>A Stored XSS in merge request creation page in Gitlab EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39885">CVE-2021-39885</a>.</p>
<p>Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="denial-of-service-attack-in-markdown-parser">Denial-of-service attack in Markdown parser</h2>
<p>A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</code>, 7.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39877">CVE-2021-39877</a>.</p>
<p>Thanks phill for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="stored-cross-site-scripting-vulnerability-in-the-gitlab-flavored-markdown">Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown</h2>
<p>A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39887">CVE-2021-39887</a>.</p>
<p>Thanks saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="dns-rebinding-vulnerability-in-gitea-importer">DNS Rebinding vulnerability in Gitea importer</h2>
<p>In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39867">CVE-2021-39867</a>.</p>
<p>This issue was found internally by a member of the GitLab team.</p>
<h2 id="exposure-of-trigger-tokens-on-project-exports">Exposure of trigger tokens on project exports</h2>
<p>In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39869">CVE-2021-39869</a>.</p>
<p>Thanks @mishre for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="improper-access-control-for-users-with-expired-password">Improper access control for users with expired password</h2>
<p>In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39872">CVE-2021-39872</a>.</p>
<p>Thanks @joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="access-tokens-are-not-cleared-after-impersonation">Access tokens are not cleared after impersonation</h2>
<p>In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39891">CVE-2021-39891</a>.</p>
<p>This vulnerability was found internally by a member of the GitLab team.</p>
<h2 id="reflected-cross-site-scripting-in-jira-integration">Reflected Cross-Site Scripting in Jira Integration</h2>
<p>A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N</code>, 5.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39878">CVE-2021-39878</a>.</p>
<p>Thanks ooooooo_q for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="dns-rebinding-vulnerability-in-fogbugz-importer">DNS Rebinding vulnerability in Fogbugz importer</h2>
<p>In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39894">CVE-2021-39894</a>.</p>
<p>This vulnerability was discovered internally by the GitLab team.</p>
<h2 id="access-tokens-persist-after-project-deletion">Access tokens persist after project deletion</h2>
<p>A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39866">CVE-2021-39866</a>.</p>
<p>Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="user-enumeration-vulnerability">User enumeration vulnerability</h2>
<p>In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39882">CVE-2021-39882</a>.</p>
<p>This issue was found internally by a member of the GitLab team.</p>
<h2 id="potential-dos-via-api-requests">Potential DOS via API requests</h2>
<p>A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39893">CVE-2021-39893</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="pending-invitations-of-public-groups-and-public-projects-are-visible-to-any-user">Pending invitations of public groups and public projects are visible to any user</h2>
<p>In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39875">CVE-2021-39875</a>.</p>
<p>Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bypass-disabled-repo-by-url-project-creation">Bypass Disabled Repo by URL Project Creation</h2>
<p>In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39870">CVE-2021-39870</a>.</p>
<p>Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="low-privileged-users-can-see-names-of-the-private-groups-shared-in-projects">Low privileged users can see names of the private groups shared in projects</h2>
<p>In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39884">CVE-2021-39884</a>.</p>
<p>Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="api-discloses-sensitive-info-to-low-privileged-users">API discloses sensitive info to low privileged users</h2>
<p>In all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39888">CVE-2021-39888</a>.
Thanks @0xn3va for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="epic-listing-do-not-honour-group-memberships">Epic listing do not honour group memberships</h2>
<p>Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39883">CVE-2021-39883</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="insecure-direct-object-reference-vulnerability-may-lead-to-protected-branch-names-getting-disclosed">Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed</h2>
<p>In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39889">CVE-2021-39889</a>.</p>
<p>Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="low-privileged-users-can-import-users-from-projects-that-they-they-are-not-a-maintainer-on">Low privileged users can import users from projects that they they are not a maintainer on</h2>
<p>In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39892">CVE-2021-39892</a>.</p>
<p>Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="potential-dos-via-dependencies-api">Potential DOS via dependencies API</h2>
<p>A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22259">CVE-2021-22259</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="create-a-project-with-unlimited-repository-size-through-malicious-project-import">Create a project with unlimited repository size through malicious Project Import</h2>
<p>In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39868">CVE-2021-39868</a>.</p>
<p>Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="bypass-disabled-bitbucket-server-import-source-project-creation">Bypass disabled Bitbucket Server import source project creation</h2>
<p>In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39871">CVE-2021-39871</a>.</p>
<p>This issue was discovered internally by a member of the GitLab team.</p>
<h2 id="requirement-to-enforce-2fa-is-not-honored-when-using-git-commands">Requirement to enforce 2FA is not honored when using git commands</h2>
<p>In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39874">CVE-2021-39874</a>.</p>
<p>Thanks @melar_dev for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="content-spoofing-vulnerability">Content spoofing vulnerability</h2>
<p>In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39873">CVE-2021-39873</a>.</p>
<p>Thanks @w00t1 for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="improper-session-management-in-impersonation-feature">Improper session management in impersonation feature</h2>
<p>In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N</code>, 3.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39896">CVE-2021-39896</a>.</p>
<p>This vulnerability was reported to GitLab by a customer.</p>
<h2 id="create-oauth-application-with-arbitrary-scopes-through-content-spoofing">Create OAuth application with arbitrary scopes through content spoofing</h2>
<p>In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39881">CVE-2021-39881</a>.</p>
<p>Thanks @executor for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="ldap-users-can-bypass-2fa-and-load-certain-pages-with-http-basic-auth">LDAP users can bypass 2FA and load certain pages with HTTP Basic Auth</h2>
<p>It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39890">CVE-2021-39890</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="lack-of-account-lockout-on-change-password-functionality">Lack of account lockout on change password functionality</h2>
<p>In all versions of GitLab CE/EE, an attacker with access to a user’s session may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by splitting the attack over several IP addresses. This is a low severity issue (<code>CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N</code>, 2.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39899">CVE-2021-39899</a>.</p>
<p>This vulnerability was discovered internally by the GitLab team.</p>
<h2 id="epic-reference-was-not-updated-while-moved-between-groups">Epic reference was not updated while moved between groups</h2>
<p>Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39886">CVE-2021-39886</a>.</p>
<p>This vulnerability was discovered internally by the GitLab team.</p>
<h2 id="missing-authentication-allows-disabling-of-two-factor-authentication">Missing authentication allows disabling of two-factor authentication</h2>
<p>Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication. This is a low severity issue (<code>CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 2.2). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39879">CVE-2021-39879</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="information-disclosure-in-sendentry">Information disclosure in SendEntry</h2>
<p>Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N</code>, 2.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39900">CVE-2021-39900</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.2.2, 14.1.4, and 14.0.9https://about.gitlab.com/releases/2021/08/31/security-release-gitlab-14-2-2-released/2021-08-31T00:00:00+00:002021-08-31T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 14.2.2, 14.1.4, and 14.0.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-in-datadog-integration">Stored XSS in DataDog Integration</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#invited-group-members-continue-to-have-project-access-even-after-invited-group-is-deleted">Invited group members continue to have project access even after invited group is deleted</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#specially-crafted-requests-to-apollo_upload_server-middleware-leads-to-denial-of-service">Specially crafted requests to apollo_upload_server middleware leads to denial of service</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#privilege-escalation-of-an-external-user-through-project-token">Privilege escalation of an external user through project token</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#missing-access-control-allows-non-admin-users-to-addremove-jira-connect-namespaces">Missing access control allows non-admin users to add/remove Jira Connect Namespaces</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#user-enumeration-on-private-instances">User enumeration on private instances</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#member-e-mails-can-be-revealed-via-project-importexport-feature">Member e-mails can be revealed via project import/export feature</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#stored-xss-in-jira-integration">Stored XSS in Jira integration</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#stored-xss-in-markdown-via-the-design-reference">Stored XSS in markdown via the Design reference</a></td>
<td>medium</td>
</tr>
</tbody>
</table>
<h2 id="stored-xss-in-datadog-integration">Stored XSS in DataDog Integration</h2>
<p>A stored Cross-Site Scripting vulnerability in the DataDog integration in GitLab CE/EE version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="invited-group-members-continue-to-have-project-access-even-after-invited-group-is-deleted">Invited group members continue to have project access even after invited group is deleted</h2>
<p>Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</code>, 6.8). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability was discovered internally by the member of the GitLab team.</p>
<h2 id="specially-crafted-requests-to-apollo_upload_server-middleware-leads-to-denial-of-service">Specially crafted requests to apollo_upload_server middleware leads to denial of service</h2>
<p>A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE version 11.11 and above allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks 0xn3va for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="privilege-escalation-of-an-external-user-through-project-token">Privilege escalation of an external user through project token</h2>
<p>A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N</code>, 5.5). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks @joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="missing-access-control-allows-non-admin-users-to-addremove-jira-connect-namespaces">Missing access control allows non-admin users to add/remove Jira Connect Namespaces</h2>
<p>Missing access control in GitLab version 13.10 and above with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L</code>, 5.4). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks updatelap for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="user-enumeration-on-private-instances">User enumeration on private instances</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22257">CVE-2021-22257</a>.</p>
<p>GitLab would like to thank a customer who reported this issue.</p>
<p>Upgrade note: Please be aware that the fix for this finding makes the <code>/:username.keys</code> and <code>/api/v4/users/:id/keys</code> endpoints behave the same. The result is that these endpoints will not be publicly accessible when the restricted public visibility setting is enabled by the instance admin. This could result in some workflows breaking. In this situation, the solution would be to create a Personal Access Token with the <code>read_user</code> scope.</p>
<h2 id="member-e-mails-can-be-revealed-via-project-importexport-feature">Member e-mails can be revealed via project import/export feature</h2>
<p>The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22258">CVE-2021-22258</a>.</p>
<p>Thanks ngalog for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="stored-xss-in-jira-integration">Stored XSS in Jira integration</h2>
<p>A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N</code>, 4.0). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks thornguyen for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="stored-xss-in-markdown-via-the-design-reference">Stored XSS in markdown via the Design reference</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22238">CVE-2021-22238</a>.</p>
<p>Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-curl">Update cURL</h2>
<p>The version of cURL included in GitLab Omnibus has been updated to 7.77.0 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus</p>
<h2 id="update-postgresql">Update PostgreSQL</h2>
<p>The version of PostgreSQL that is bundled with GitLab Omnibus was updated to 12.7 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects all versions of GitLab Omnibus</p>
<h2 id="patch-nginx">Patch nginx</h2>
<p>A patch was applied in GitLab Omnibus version 14.0.9 to mitigate a security concern related to nginx. Versions 14.1 and later already contain fixes for this security concern.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects GitLab Omnibus 14.0 until 14.0.9</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.1.2, 14.0.7, and 13.12.9https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/2021-08-03T00:00:00+00:002021-08-03T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 14.1.2, 14.0.7, and 13.12.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="recommended-action">Recommended Action</h3>
<p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stored-xss-in-mermaid-when-viewing-markdown-files">Stored XSS in Mermaid when viewing Markdown files</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#stored-xss-in-default-branch-name">Stored XSS in default branch name</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#perform-git-actions-with-an-impersonation-token-even-if-impersonation-is-disabled">Perform Git actions with an impersonation token even if impersonation is disabled</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#tag-and-branch-name-confusion-allows-developer-to-access-protected-ci-variables">Tag and branch name confusion allows Developer to access protected CI variables</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#new-subscriptions-generate-oauth-tokens-on-an-incorrect-oauth-client-application">New subscriptions generate OAuth tokens on an incorrect OAuth client application</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#ability-to-list-and-delete-impersonation-tokens-for-your-own-user">Ability to list and delete impersonation tokens for your own user</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#pipelines-page-is-partially-visible-for-users-that-have-no-right-to-see-cicd">Pipelines page is partially visible for users that have no right to see CI/CD</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-email-validation-on-an-invite-url">Improper email validation on an invite URL</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthorised-user-was-able-to-add-meta-data-upon-issue-creation">Unauthorised user was able to add meta data upon issue creation</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#unauthorized-user-can-trigger-deployment-to-a-protected-environment">Unauthorized user can trigger deployment to a protected environment</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#guest-in-private-project-can-see-cicd-analytics">Guest in private project can see CI/CD Analytics</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#guest-users-can-create-issues-for-sentry-errors-and-track-their-status">Guest users can create issues for Sentry errors and track their status</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#private-user-email-disclosure-via-group-invitation">Private user email disclosure via group invitation</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#projects-are-allowed-to-add-members-with-email-address-domain-that-should-be-blocked-by-group-settings">Projects are allowed to add members with email address domain that should be blocked by group settings</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#misleading-username-could-lead-to-impersonation-in-using-ssh-certificates">Misleading username could lead to impersonation in using SSH Certificates</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#unauthorized-user-is-able-to-access-and-view-project-vulnerability-reports">Unauthorized user is able to access and view project vulnerability reports</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#denial-of-service-in-repository-caused-by-malformed-commit-author">Denial of service in repository caused by malformed commit author</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="stored-xss-in-mermaid-when-viewing-markdown-files">Stored XSS in Mermaid when viewing Markdown files</h2>
<p>Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22242">CVE-2021-22242</a>.</p>
<p>Thanks @saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="note">Note</h3>
<p>Users will no longer be able to configure <code>htmlLabels</code> setting in Mermaid charts.</p>
<h2 id="stored-xss-in-default-branch-name">Stored XSS in default branch name</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22241">CVE-2021-22241</a>.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="perform-git-actions-with-an-impersonation-token-even-if-impersonation-is-disabled">Perform Git actions with an impersonation token even if impersonation is disabled</h2>
<p>Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H</code>, 6.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22237">CVE-2021-22237</a>.</p>
<p>GitLab would like to thank a customer who reported this issue.</p>
<h2 id="tag-and-branch-name-confusion-allows-developer-to-access-protected-ci-variables">Tag and branch name confusion allows Developer to access protected CI variables</h2>
<p>A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22252">CVE-2021-22252</a>.</p>
<p>Thanks @rodrigopetter for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="new-subscriptions-generate-oauth-tokens-on-an-incorrect-oauth-client-application">New subscriptions generate OAuth tokens on an incorrect OAuth client application</h2>
<p>Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22236">CVE-2021-22236</a>.</p>
<p>This vulnerability was found internally by the GitLab team.</p>
<h2 id="ability-to-list-and-delete-impersonation-tokens-for-your-own-user">Ability to list and delete impersonation tokens for your own user</h2>
<p>Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrations created for their account. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22250">CVE-2021-22250</a>.</p>
<p>Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="pipelines-page-is-partially-visible-for-users-that-have-no-right-to-see-cicd">Pipelines page is partially visible for users that have no right to see CI/CD</h2>
<p>Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22248">CVE-2021-22248</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="improper-email-validation-on-an-invite-url">Improper email validation on an invite URL</h2>
<p>Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L</code>, 5.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22243">CVE-2021-22243</a>.</p>
<p>This vulnerability was found internally by the GitLab team.</p>
<h2 id="unauthorised-user-was-able-to-add-meta-data-upon-issue-creation">Unauthorised user was able to add meta data upon issue creation</h2>
<p>An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22239">CVE-2021-22239</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h2 id="unauthorized-user-can-trigger-deployment-to-a-protected-environment">Unauthorized user can trigger deployment to a protected environment</h2>
<p>Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L</code>, 4.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2021-22253">CVE-2021-22253</a>.</p>
<p>Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="guest-in-private-project-can-see-cicd-analytics">Guest in private project can see CI/CD Analytics</h2>
<p>Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22247">CVE-2021-22247</a>.</p>
<p>Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="guest-users-can-create-issues-for-sentry-errors-and-track-their-status">Guest users can create issues for Sentry errors and track their status</h2>
<p>Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22256">CVE-2021-22256</a>.</p>
<p>Thanks @maruthi12 for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="private-user-email-disclosure-via-group-invitation">Private user email disclosure via group invitation</h2>
<p>A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22249">CVE-2021-22249</a>.</p>
<p>Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="projects-are-allowed-to-add-members-with-email-address-domain-that-should-be-blocked-by-group-settings">Projects are allowed to add members with email address domain that should be blocked by group settings</h2>
<p>Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22251">CVE-2021-22251</a>.</p>
<p>Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="misleading-username-could-lead-to-impersonation-in-using-ssh-certificates">Misleading username could lead to impersonation in using SSH Certificates</h2>
<p>Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. This is a low severity issue (<code>CVSS:3.0/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22254">CVE-2021-22254</a>.</p>
<p>Thanks ledz1996 for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="unauthorized-user-is-able-to-access-and-view-project-vulnerability-reports">Unauthorized user is able to access and view project vulnerability reports</h2>
<p>Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22244">CVE-2021-22244</a>.</p>
<p>Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="denial-of-service-in-repository-caused-by-malformed-commit-author">Denial of service in repository caused by malformed commit author</h2>
<p>Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22245">CVE-2021-22245</a>.</p>
<p>Thanks @stanlyoncm for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>Mattermost has been upgraded to 5.35.4 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects GitLab Omnibus versions 13.10 and later</p>
<h2 id="update-oauth-ruby-gem">Update oauth ruby gem</h2>
<p>The oauth ruby gem has been upgraded to 0.5.6 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects versions 10.6 and later</p>
<h2 id="update-libgcrypt">Update libgcrypt</h2>
<p>libgcrypt has been upgraded to 1.9.3 in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects all previous versions of GitLab Omnibus</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 14.0.4, 13.12.8, and 13.11.7https://about.gitlab.com/releases/2021/07/07/critical-security-release-gitlab-14-0-4-released/2021-07-07T00:00:00+00:002021-07-07T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 14.0.4, 13.12.8, and 13.11.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#arbitrary-file-read-via-design-feature">Arbitrary file read via design feature</a></td>
<td>critical</td>
</tr>
</tbody>
</table>
<h2 id="arbitrary-file-read-via-design-feature">Arbitrary file read via design feature</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.11, 13.12 and 14.0. A specially crafted <a href="https://docs.gitlab.com/ee/user/project/issues/design_management.html">design</a> allowed attackers to read arbitrary files on the server. This is a critical severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22234">CVE-2021-22234</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 14.0.2, 13.12.6, and 13.11.6https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/2021-07-01T00:00:00+00:002021-07-01T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 14.0.2, 13.12.6, and 13.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#DoS-using-Webhook-connections">DoS using Webhook connections </a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#csrf-on-graphql-api-allows-executing-mutations-through-get-requests">CSRF on GraphQL API allows executing mutations through GET requests</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#private-projects-information-disclosure">Private projects information disclosure</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#single-sign-on-users-not-getting-blocked">Single sign-on users not getting blocked</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#some-users-can-push-to-protected-branch-with-deploy-keys">Some users can push to Protected Branch with Deploy keys</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#a-deactivated-user-can-access-data-through-graphql">A deactivated user can access data through GraphQL</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#reflected-xss-in-release-edit-page">Reflected XSS in release edit page</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#clipboard-dom-based-xss">Clipboard DOM-based XSS</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#stored-xss-on-audit-log">Stored XSS on Audit Log</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#forks-of-public-projects-by-project-members-could-leak-codebase">Forks of public projects by project members could leak codebase</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#improper-text-rendering">Improper text rendering</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#html-injection-in-full-name-field">HTML Injection in full name field</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#denial-of-service-of-user-profile-page">Denial of service of user profile page</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#update-nokogiri">Update Nokogiri</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#update-mattermost">Update Mattermost</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#update-redis">Update Redis</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#update-rdoc">Update Rdoc</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#update-libxml2">Update libxml2</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#update-Rails-gem">Update Rails gem</a></td>
<td>medium</td>
</tr>
</tbody>
</table>
<h2 id="dos-using-webhook-connections">DoS using Webhook connections</h2>
<p>A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</code>, 7.7). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/afewgoats">afewgoats</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="csrf-on-graphql-api-allows-executing-mutations-through-get-requests">CSRF on GraphQL API allows executing mutations through GET requests</h2>
<p>A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N</code>, 7.1). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/az3z3l">az3z3l</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="private-projects-information-disclosure">Private projects information disclosure</h2>
<p>An information disclosure vulnerability was found in GitLab EE versions 13.10 and later allowed a user to read project details. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/0xn3va">0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="single-sign-on-users-not-getting-blocked">Single sign-on users not getting blocked</h2>
<p>Improper access control in GitLab EE before versions 13.11.6, 13.12.6, and 14.0.2 allowed users to be created via single sign on despite user cap being enabled. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 4.2). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/bingomzan">bingomzan</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="some-users-can-push-to-protected-branch-with-deploy-keys">Some users can push to Protected Branch with Deploy keys</h2>
<p>Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="a-deactivated-user-can-access-data-through-graphql">A deactivated user can access data through GraphQL</h2>
<p>An issue has been discovered in GitLab affecting all versions. Improper access control allows unauthorised users to access project details using Graphql. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/joaxcar">joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="reflected-xss-in-release-edit-page">Reflected XSS in release edit page</h2>
<p>A reflected cross-site scripting vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 6.1). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="clipboard-dom-based-xss">Clipboard DOM-based XSS</h2>
<p>Improper input sanitization in markdown in GitLab CE/EE version 13.11 and up allowed an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted input. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 4.7). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/vovohelo">vovohelofor</a> reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="stored-xss-on-audit-log">Stored XSS on Audit Log</h2>
<p>Client-Side code injection through Feature Flag name starting with GitLab CE/EE 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 6.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22223">CVE-2021-22223</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="forks-of-public-projects-by-project-members-could-leak-codebase">Forks of public projects by project members could leak codebase</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 5.9). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="improper-text-rendering">Improper text rendering</h2>
<p>Improper text rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.9). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="html-injection-in-full-name-field">HTML Injection in full name field</h2>
<p>HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/andor404">andor404</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="denial-of-service-of-user-profile-page">Denial of service of user profile page</h2>
<p>A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:L/S:U/C:N/I:N/A:L</code>, 3.5). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<p>Thanks <a href="https://hackerone.com/maruthi12">maruthi12</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-nokogiri">Update Nokogiri</h2>
<p>Nokogiri has been upgraded to 1.11.4 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-mattermost">Update Mattermost</h2>
<p>Mattermost has been upgraded to 5.33.5 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects versions 13.10 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-redis">Update Redis</h2>
<p>Redis has been upgraded to 6.0.14 in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects versions 13.9 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-rdoc">Update Rdoc</h2>
<p>Rdoc has been upgraded to 6.3.1 in order to mitigate security concerns.</p>
<h3 id="versions-affected-3">Versions affected</h3>
<p>Affects all versions.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-libxml2">Update libxml2</h2>
<p>libxml2 has been upgraded to 2.9.11 in order to mitigate security concerns.</p>
<h3 id="versions-affected-4">Versions affected</h3>
<p>Affects all versions.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-rails-gem">Update Rails gem</h2>
<p>The Rails gem has been upgraded to 6.0.3.7 in order to mitigate security concerns.</p>
<h3 id="versions-affected-5">Versions affected</h3>
<p>Affects all versions.</p>
<h3 id="remediation-18">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/2021-06-01T00:00:00+00:002021-06-01T00:00:00+00:00Michael Henriksen<p>Today we are releasing versions 13.12.2, 13.11.5, and 13.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="additional-notes">Additional notes</h2>
<p>In GitLab 13.10 the CI Lint API started requiring <a href="https://docs.gitlab.com/ee/api/#authentication">authentication</a> for GitLab instances where registration is disabled. Starting with this release, the CI Lint API endpoint will also require authentication when registration is limited (for example where an email domain allowlist is configured).</p>
<p>This version also includes a data migration to fix some records with incorrect data that causes 2FA to not be enforced for some users even if they are members of groups that require it. The root cause for the issue was already fixed but some records created before the fix need to be corrected. The migration is a background migration that will be scheduled in batches of 10,000 users at two minute intervals.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#stealing-gitlab-oauth-access-tokens-using-xsleaks-in-safari">Stealing GitLab OAuth access tokens using XSLeaks in Safari</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#denial-of-service-through-recursive-triggered-pipelines">Denial of service through recursive triggered pipelines</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#unauthenticated-ci-lint-api-may-lead-to-information-disclosure-and-ssrf">Unauthenticated CI lint API may lead to information disclosure and SSRF</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#server-side-dos-through-rendering-crafted-markdown-documents">Server-side DoS through rendering crafted Markdown documents</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#issue-and-merge-request-length-limit-is-not-being-enforced">Issue and merge request length limit is not being enforced</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#insufficient-expired-password-validation">Insufficient Expired Password Validation</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#xss-in-blob-viewer-of-notebooks">XSS in blob viewer of notebooks</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#logging-of-sensitive-information">Logging of Sensitive Information</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#on-call-rotation-information-exposed-when-removing-a-member">On-call rotation information exposed when removing a member</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#spoofing-commit-author-for-signed-commits">Spoofing commit author for signed commits</a></td>
<td>low</td>
</tr>
</tbody>
</table>
<h2 id="stealing-gitlab-oauth-access-tokens-using-xsleaks-in-safari">Stealing GitLab OAuth access tokens using XSLeaks in Safari</h2>
<p>A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</code>, 8.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22213">CVE-2021-22213</a>.</p>
<p>Thanks hubblebubble for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="denial-of-service-through-recursive-triggered-pipelines">Denial of service through recursive triggered pipelines</h2>
<p>A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources. This is a high severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</code>, 7.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22181">CVE-2021-22181</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="unauthenticated-ci-lint-api-may-lead-to-information-disclosure-and-ssrf">Unauthenticated CI lint API may lead to information disclosure and SSRF</h2>
<p>When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22214">CVE-2021-22214</a>.</p>
<p>Thanks <a href="https://hackerone.com/myster?type=user">@myster</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="server-side-dos-through-rendering-crafted-markdown-documents">Server-side DoS through rendering crafted Markdown documents</h2>
<p>A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22217">CVE-2021-22217</a>.</p>
<p>Thanks phli for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="issue-and-merge-request-length-limit-is-not-being-enforced">Issue and merge request length limit is not being enforced</h2>
<p>A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22216">CVE-2021-22216</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="insufficient-expired-password-validation">Insufficient Expired Password Validation</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22221">CVE-2021-22221</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="xss-in-blob-viewer-of-notebooks">XSS in blob viewer of notebooks</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 6.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22220">CVE-2021-22220</a>.</p>
<p>Thanks (@yvvdwf)[https://hackerone.com/yvvdwf] for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="logging-of-sensitive-information">Logging of Sensitive Information</h2>
<p>GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking. This is a medium severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22219">CVE-2021-22219</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team https://gitlab.com/dcouture.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="on-call-rotation-information-exposed-when-removing-a-member">On-call rotation information exposed when removing a member</h2>
<p>An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22215">CVE-2021-22215</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="spoofing-commit-author-for-signed-commits">Spoofing commit author for signed commits</h2>
<p>All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits. This is a low severity issue (<code>CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22218">CVE-2021-22218</a>.</p>
<p>Thanks subbotin for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="enable-qsh-verification-for-atlassian-connect">Enable qsh verification for Atlassian Connect</h2>
<p>qsh verification has been enabled for Atlassian Connect to address a breaking change in the Atlassian Connect API.</p>
<p>If you are using Jira Connect with a self-managed instance you need to update to these latest security releases before June 7th. If you are on GitLab.com, you do not need to do anything. For more details see <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/328267">this GitLab issue</a>.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects all versions of GitLab.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-bindata-dependency">Update bindata dependency</h2>
<p>The dependency on bindata has been upgraded to 2.4.10 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects versions 12.0 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-grafana-dependency">Update grafana dependency</h2>
<p>The dependency on Grafana has been upgraded to 7.5.4 in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects versions 13.11, 13.10 and 13.9.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive release notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">security release RSS feed</a> or our <a href="https://about.gitlab.com/all-releases.xml">RSS feed for all releases</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.11.2, 13.10.4, and 13.9.7https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/2021-04-28T00:00:00+00:002021-04-28T00:00:00+00:00Vitor Meireles De Sousa<p>Today we are releasing versions 13.11.2, 13.10.4, and 13.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#read_api-scoped-tokens-can-execute-mutations">Read API scoped tokens can execute mutations</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#pull-mirror-credentials-are-exposed">Pull mirror credentials are exposed</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#denial-of-service-when-querying-repository-branches-api">Denial of Service when querying repository branches API</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#non-owners-can-set-system_note_timestamp-when-creating--updating-issues">Non-owners can set system_note_timestamp when creating / updating issues</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#deploytoken-will-impersonate-a-user-with-the-same-id-when-using-dependency-proxy">DeployToken will impersonate a User with the same ID when using Dependency Proxy</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#update-Python-dependency">Update Python dependency</a></td>
<td>Dependency Update - critical</td>
</tr>
<tr>
<td><a href="#update-Redis-dependency">Update Redis dependency</a></td>
<td>Dependency Update - high</td>
</tr>
<tr>
<td><a href="#update-carrierwave-gem">Update carrierwave gem</a></td>
<td>Dependency Update - high</td>
</tr>
<tr>
<td><a href="#update-Mermaid-npm-package">Update Mermaid npm package</a></td>
<td>Dependency Update - high</td>
</tr>
</tbody>
</table>
<h2 id="read-api-scoped-tokens-can-execute-mutations">Read API scoped tokens can execute mutations</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</code>, 7.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22209">CVE-2021-22209</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="pull-mirror-credentials-were-exposed">Pull mirror credentials were exposed</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials were exposed and could allow other maintainers to view the credentials in plain-text. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22206">CVE-2021-22206</a>.</p>
<p>Thanks <a href="https://hackerone.com/jlneel">jlneel</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="denial-of-service-when-querying-repository-branches-api">Denial of Service when querying repository branches API</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22210">CVE-2021-22210</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="non-owners-can-set-system_note_timestamp-when-creating--updating-issues">Non-owners can set system_note_timestamp when creating / updating issues</h2>
<p>An issue has been discovered in GitLab affecting versions prior to 13.5. Improper permission check could allow the change of timestamp for issue creation or update. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22208">CVE-2021-22208</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="deploytoken-will-impersonate-a-user-with-the-same-id-when-using-dependency-proxy">DeployToken will impersonate a User with the same ID when using Dependency Proxy</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22211">CVE-2021-22211</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-python-dependency">Update Python dependency</h2>
<p>The dependency on Python has been upgraded to 3.7.10 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects Omnibus versions 12.0 and later.</p>
<h2 id="update-redis-dependency">Update Redis dependency</h2>
<p>The dependency on Redis has been upgraded to 6.0.12 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects versions 12.7 and later.</p>
<h2 id="update-carrierwave-gem">Update carrierwave gem</h2>
<p>The carrierwave gem has been upgraded to 1.3.2 in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects all versions.</p>
<h2 id="update-mermaid-npm-package">Update Mermaid npm package</h2>
<p>The Mermaid npm package has been upgraded to 8.9.2 in order to mitigate security concerns.</p>
<h3 id="versions-affected-3">Versions affected</h3>
<p>Affects versions 13.9 and later.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 13.10.3, 13.9.6, and 13.8.8https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/2021-04-14T00:00:00+00:002021-04-14T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 13.10.3, 13.9.6, and 13.8.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc secu
rity releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, t
he issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the
latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#Remote-code-execution-when-uploading-specially-crafted-image-files">Remote code execution when uploading specially crafted image files</a></td>
<td>critical</td>
</tr>
<tr>
<td><a href="#Update-Rexml">Update Rexml</a></td>
<td>Dependency update - critical</td>
</tr>
</tbody>
</table>
<h2 id="remote-code-execution-when-uploading-specially-crafted-image-files">Remote code execution when uploading specially crafted image files</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in a remote command execution. This is a critical severity issue (<code>AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205">CVE-2021-22205</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-rexml">Update Rexml</h2>
<p>The Rexml ruby gem was upgraded to version 3.2.5 in order to mitigate <a href="https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/">CVE-2021-28965</a>.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects versions 7.12 and later.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.10.1, 13.9.5, and 13.8.7https://about.gitlab.com/releases/2021/03/31/security-release-gitlab-13-10-1-released/2021-03-31T00:00:00+00:002021-03-31T00:00:00+00:00Vitor Meireles De Sousa<p>Today we are releasing versions 13.10.1, 13.9.5, and 13.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#arbitrary-file-read-during-project-import">Arbitrary File Read During Project Import</a></td>
<td>critical</td>
</tr>
<tr>
<td><a href="#kroki-arbitrary-file-readwrite">Kroki Arbitrary File Read/Write</a></td>
<td>high</td>
</tr>
<tr>
<td><a href="#stored-cross-site-scripting-in-merge-requests">Stored Cross-Site-Scripting in merge requests</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#access-data-of-an-internal-project-through-a-public-project-fork-as-an-anonymous-user">Access data of an internal project through a public project fork as an anonymous user</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#incident-metric-images-can-be-deleted-by-any-user">Incident metric images can be deleted by any user</a></td>
<td>medium</td>
</tr>
<tr>
<td><a href="#infinite-loop-when-a-user-access-a-merge-request">Infinite Loop When a User Access a Merge Request</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#stored-xss-in-scoped-labels">Stored XSS in scoped labels</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#admin-csrf-in-system-hooks-execution-through-api">Admin CSRF in System Hooks Execution Through API</a></td>
<td>low</td>
</tr>
<tr>
<td><a href="#Update-OpenSSL-dependency">Update OpenSSL dependency</a></td>
<td>Dependency update - high</td>
</tr>
<tr>
<td><a href="#Update-PostgreSQL-dependency">Update PostgreSQL dependency</a></td>
<td>Dependency update - medium</td>
</tr>
</tbody>
</table>
<h2 id="arbitrary-file-read-during-project-import">Arbitrary File Read During Project Import</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server. This is a critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22201">CVE-2021-22201</a>.</p>
<p>Thanks <a href="https://hackerone.com/saltyyolk">saltyyolk</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="kroki-arbitrary-file-readwrite">Kroki Arbitrary File Read/Write</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N</code>, 7.5). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22203">CVE-2021-22203</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">@ledz1996</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="stored-cross-site-scripting-in-merge-requests">Stored Cross-Site-Scripting in merge requests</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N</code>, 6.3). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22196">CVE-2021-22196</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">@yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="access-data-of-an-internal-project-through-a-public-project-fork-as-an-anonymous-user">Access data of an internal project through a public project fork as an anonymous user</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 5.9). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22200">CVE-2021-22200</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="incident-metric-images-can-be-deleted-by-any-user">Incident metric images can be deleted by any user</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22198">CVE-2021-22198</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="infinite-loop-when-a-user-access-a-merge-request">Infinite Loop When a User Access a Merge Request</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</code>, 3.5). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22197">CVE-2021-22197</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="stored-xss-in-scoped-labels">Stored XSS in scoped labels</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22199">CVE-2021-22199</a>.</p>
<p>Thanks <a href="https://hackerone.com/mike12">mike12</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="admin-csrf-in-system-hooks-execution-through-api">Admin CSRF in System Hooks Execution Through API</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N</code>, 2.4). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22202">CVE-2021-22202</a>.</p>
<p>Thanks <a href="https://hackerone.com/mishre">@mishre</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-openssl-dependency">Update OpenSSL dependency</h2>
<p>The dependency on OpenSSL has been upgraded to 1.1.1j in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects versions 13.8 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-postgresql-dependency">Update PostgreSQL dependency</h2>
<p>The dependency on PostgreSQL 11 and 12 has been upgraded to 11.11 and 12.6 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects versions 9.0 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 13.9.4, 13.8.6, and 13.7.9https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/2021-03-17T00:00:00+00:002021-03-17T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 13.9.4, 13.8.6, and 13.7.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="table-of-fixes">Table of Fixes</h2>
<table>
<thead>
<tr>
<th>Title</th>
<th>Severity</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="#remote-code-execution-via-unsafe-user-controlled-markdown-rendering-options">Remote code execution via unsafe user-controlled markdown rendering options</a></td>
<td>critical</td>
</tr>
</tbody>
</table>
<h2 id="remote-code-execution-via-unsafe-user-controlled-markdown-rendering-options">Remote code execution via unsafe user-controlled markdown rendering options</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorised authenticated users to execute arbitrary code on the server. This is a critical severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22192">CVE-2021-22192</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.9.2, 13.8.5 and 13.7.8https://about.gitlab.com/releases/2021/03/04/security-release-gitlab-13-9-2-released/2021-03-04T00:00:00+00:002021-03-04T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 13.9.2, 13.8.5 and 13.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="jwt-token-leak-via-workhorse">JWT token leak via Workhorse</h2>
<p>A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22190">CVE-2021-22190</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996?type=user">@ledz1996</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="stored-xss-in-wiki-pages">Stored XSS in wiki pages</h2>
<p>Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki. It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22185">CVE-2021-22185</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf?type=user">@yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="group-maintainers-are-able-to-use-the-group-cicd-variables-api">Group Maintainers are able to use the Group CI/CD Variables API</h2>
<p>An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners. It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22186">CVE-2021-22186</a>.</p>
<p>Thanks to a customer for reporting this vulnerability to the GitLab team.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="insecure-storage-of-gitlab-session-keys">Insecure storage of GitLab session keys</h2>
<p>In all versions of GitLab, marshalled session keys were being stored in Redis. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22194">CVE-2021-22194</a>.</p>
<p>Thanks to a customer for reporting this vulnerability to the GitLab team.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-thrift-gem">Update thrift gem</h2>
<p>The thrift gem has been upgraded to 0.14.0 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects versions 11.8 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-swagger-ui-dist-dependency">Update swagger-ui-dist dependency</h2>
<p>The dependency on swagger-ui-dist has been upgraded to 3.43.0 in order to mitigate security concerns.</p>
<p>Thanks <a href="https://hackerone.com/kannthu?type=user">@kannthu</a> for reporting this through our HackerOne bug bounty program.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects versions 13.7 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.8.4, 13.7.7 and 13.6.7https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/2021-02-11T00:00:00+00:002021-02-11T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 13.8.4, 13.7.7 and 13.6.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="improper-certificate-validation-for-fortinet-otp">Improper Certificate Validation for Fortinet OTP</h2>
<p>Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22189">CVE-2021-22189</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="denial-of-service-attack-on-gitlab-shell">Denial of Service Attack on gitlab-shell</h2>
<p>Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22177">CVE-2021-22177</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="resource-exhaustion-due-to-pending-jobs">Resource exhaustion due to pending jobs</h2>
<p>An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 12.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22187">CVE-2021-22187</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="confidential-issue-titles-were-exposed">Confidential issue titles were exposed</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22188">CVE-2021-22188</a>.</p>
<p>Thanks <a href="https://hackerone.com/aemirercin?type=user">@aemirercin</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="improper-access-control-allowed-demoted-project-members-to-access-authored-merge-requests">Improper access control allowed demoted project members to access authored merge requests</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22176">CVE-2021-22176</a>.</p>
<p>Thanks <a href="https://hackerone.com/muthu_prakash?type=user">@muthu_prakash</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="improper-access-control-allowed-unauthorized-users-to-access-analytic-pages">Improper access control allowed unauthorized users to access analytic pages</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 13.4. Improper access control allows unauthorized users to access details on analytic pages. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22180">CVE-2021-22180</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar?type=user">@ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="unauthenticated-ci-lint-api-may-lead-to-information-disclosure-and-ssrf">Unauthenticated CI lint API may lead to information disclosure and SSRF</h2>
<p>When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22175">CVE-2021-22175</a>.</p>
<p>Thanks <a href="https://hackerone.com/myster?type=user">@myster</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="prometheus-integration-in-gitlab-may-lead-to-ssrf">Prometheus integration in Gitlab may lead to SSRF</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to server-side request forgery vulnerability attack due when Prometheus was used. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22178">CVE-2021-22178</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf?type=user">@yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.8.2, 13.7.6 and 13.6.6https://about.gitlab.com/releases/2021/02/01/security-release-gitlab-13-8-2-released/2021-02-01T00:00:00+00:002021-02-01T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 13.8.2, 13.7.6 and 13.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="stored-xss-in-merge-request">Stored XSS in merge request</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge requests. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22182">CVE-2021-22182</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="stored-xss-in-epics-pages">Stored XSS in epic's pages</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22183">CVE-2021-22183</a>.</p>
<p>Thanks <a href="https://hackerone.com/mike12">mike12</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="sensitive-graphql-variables-exposed-in-structured-log">Sensitive GraphQL variables exposed in structured log</h2>
<p>An information disclosure issue in GitLab 12.0+ allowed a user with access to the server logs to see sensitive information that wasn't properly redacted. This is a medium severity issue (<code>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 6.2). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22184">CVE-2021-22184</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="guest-user-can-see-tag-names-in-private-projects">Guest user can see tag names in private projects</h2>
<p>Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22172">CVE-2021-22172</a>.</p>
<p>Thanks <a href="https://hackerone.com/izzsec?type=user">@izzsec</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="information-disclosure-via-error-message">Information disclosure via error message</h2>
<p>An issue was identified in GitLab EE 13.4 or later which could disclose internal IP address via error messages. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22169">CVE-2021-22169</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="dns-rebinding-protection-bypass">DNS rebinding protection bypass</h2>
<p>An issue has been discovered in GitLab affecting all versions starting with 12.2. GitLab was vulnerable to a DNS rebinding protection bypass. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22179">CVE-2021-22179</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="validate-existence-of-private-project">Validate existence of private project</h2>
<p>An issue has been discovered in GitLab affecting all versions. Validate the use of a specific name for private project in a group was posible. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22193">CVE-2021-22193</a>.</p>
<p>Thanks <a href="https://hackerone.com/milindpurswani">milindpurswani</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 13.7.4, 13.6.5 and 13.5.7https://about.gitlab.com/releases/2021/01/14/critical-security-release-gitlab-13-7-4-released/2021-01-14T00:00:00+00:002021-01-14T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 13.7.4, 13.6.5 and 13.5.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our <a href="https://about.gitlab.com/security/faq/">security FAQ</a>. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="ability-to-steal-a-users-api-access-token-through-gitlab-pages">Ability to steal a user's API access token through GitLab Pages</h2>
<p>A way to bypass the fix released in the <a href="https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#ability-to-steal-a-users-api-access-token-through-gitlab-pages">previous security release</a> was discovered internally by the GitLab team. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). We have requested a CVE ID and will update this blog post when it is assigned.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.7.2, 13.6.4, and 13.5.6https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/2021-01-07T00:00:00+00:002021-01-07T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 13.7.2, 13.6.4, and 13.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="upgrade-note">Upgrade Note</h2>
<p>This release applies a database migration to configure as <code>Confidential</code> all instance-wide OAuth applications that are configured as <code>Trusted</code>. This will require the applications to send the <code>client_secret</code> as part of the OAuth flow, which is a best practice. The change is required to correct one of the issues in this security release. If you have any custom instance-wide applications that are having issues following this migration, it means that you have clients that aren't sending the <code>client_secret</code> or are using the implicit flow during the OAuth authentication process. Here is how to solve the problem:</p>
<ul>
<li>The preferred way is to make the client send the <code>client_secret</code> using the Authorization Code flow.</li>
<li>If impossible, or if there's no way to keep the <code>client_secret</code> secret, then you can switch the application back to non-confidential. However, we suggest making the application non-trusted as well so that users are required to explicitly authorize the application when it requests access tokens on their behalf without the <code>client_secret</code>.</li>
</ul>
<h2 id="ability-to-steal-a-users-api-access-token-through-gitlab-pages">Ability to steal a user's API access token through GitLab Pages</h2>
<p>Insufficient validation of authentication parameters in GitLab Page for GitLab 11.5+. This is a high severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22171">CVE-2021-22171</a>.</p>
<p>Thanks <a href="https://hackerone.com/ngalog">@ngalog</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="prometheus-denial-of-service-via-http-request-with-custom-method">Prometheus denial of service via HTTP request with custom method</h2>
<p>An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22166">CVE-2021-22166</a>.
.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="unauthorized-user-is-able-to-access-private-repository-information-under-specific-conditions">Unauthorized user is able to access private repository information under specific conditions</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers within a specific project page allows attacker to have temporary read access to a public repository with project features restricted to only members. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22167">CVE-2021-22167</a>.</p>
<p>Thanks @anshraj_srivastava for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="regular-expression-denial-of-service-in-nuget-api">Regular expression denial of service in NuGet API</h2>
<p>A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22168">CVE-2021-22168</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="regular-expression-denial-of-service-in-package-uploads">Regular expression denial of service in package uploads</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26414">CVE-2020-26414</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="update-curl-dependency">Update curl dependency</h2>
<p>The curl dependency has been upgraded to 7.74.0 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects all GitLab Omnibus versions.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="cve-2019-3881-mitigation">CVE-2019-3881 mitigation</h2>
<p>A patch has been applied to mitigate CVE-2019-3881 in the bundler dependency.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects all GitLab Omnibus versions.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are <strong>upgraded to the latest version as soon as possible</strong>.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.6.2, 13.5.5, and 13.4.7https://about.gitlab.com/releases/2020/12/07/security-release-gitlab-13-6-2-released/2020-12-07T00:00:00+00:002020-12-07T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 13.6.2, 13.5.5, and 13.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="xss-in-zoom-meeting-url">XSS in Zoom Meeting URL</h2>
<p>A XSS vulnerability exists in Gitlab CE/EE starting with 12.4 that allows an attacker to perform cross-site scripting to other users via importing a malicious project. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L</code>, 5.5). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26407">CVE-2020-26407</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="limited-information-disclosure-in-private-profile">Limited Information Disclosure in Private Profile</h2>
<p>A limited information disclosure vulnerability exists in Gitlab CE/EE starting with 12.2 that allows an attacker to view limited information in user's private profile. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26408">CVE-2020-26408</a>.</p>
<p>Thanks <a href="https://hackerone.com/maruthi12">@maruthi12</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="user-email-exposed-via-graphql-endpoint">User email exposed via GraphQL endpoint</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL starting in GitLab 13.4 results in user email being unexpectedly visible. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22413">CVE-2021-22413</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="group-and-project-membership-potentially-exposed-via-graphql">Group and project membership potentially exposed via GraphQL</h2>
<p>Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22417">CVE-2021-22417</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="search-terms-logged-in-search-parameter-in-rails-logs">Search terms logged in <code>search</code> parameter in rails logs</h2>
<p>Information disclosure in Advanced Search component of GitLab EE starting in 8.4 results in exposure of search terms via Rails logs. This is a medium severity issue (<code>CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N</code>, 5.0). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22416">CVE-2021-22416</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="un-authorised-access-to-feature-flag-user-list">Un-authorised access to feature flag user list</h2>
<p>An issue was discovered in Gitlab CE/EE versions starting from 13.1 to 13.5 which allowed an un-authorised user to access the user list corresponding to a feature flag in a project. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13357">CVE-2020-13357</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="a-specific-query-on-the-explore-page-causes-statement-timeouts">A specific query on the explore page causes statement timeouts</h2>
<p>A potential DOS vulnerability was discovered in all versions of GitLab. Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26411">CVE-2020-26411</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="exposure-of-starred-projects-on-private-user-profiles">Exposure of starred projects on private user profiles</h2>
<p>An issue has been discovered in GitLab affecting all versions starting from 12.2 before 13.6.2, all versions starting from 12.2 before 13.5.5, all versions starting from 12.2 before 13.4.7. Information about the starred projects for private user profiles was exposed via the GraphQL API starting in 13.4 and via the REST API starting in 12.2. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22415">CVE-2021-22415</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="uncontrolled-resource-consumption-in-any-markdown-field-using-mermaid">Uncontrolled Resource Consumption in any Markdown field using Mermaid</h2>
<p>A DOS vulnerability exists in Gitlab CE/EE starting with 10.3 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields. This is a medium severity issue (<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26409">CVE-2020-26409</a>.</p>
<p>Thanks <a href="https://hackerone.com/misha98857">misha98857</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="former-group-members-able-to-view-updates-to-confidential-epics">Former group members able to view updates to confidential epics</h2>
<p>Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2. This is a low severity issue (<code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22412">CVE-2021-22412</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-graphicsmagick-dependency">Update GraphicsMagick dependency</h2>
<p>The GraphicsMagick dependency has been upgraded to 1.3.35 in order to mitigate security concerns.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab Omnibus 11.0 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-gnupg-dependency">Update GnuPG dependency</h2>
<p>The GnuPG dependency has been upgraded to 2.2.23 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab Omnibus 13.4 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-libxml-dependency">Update libxml dependency</h2>
<p>The libxml dependency has been upgraded to 2.9.10 in order to mitigate security concerns.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab Omnibus 10.8 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.5.2, 13.4.5, and 13.3.9https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/2020-11-02T00:00:00+00:002020-11-02T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 13.5.2, 13.4.5, and 13.3.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="path-traversal-in-lfs-upload">Path Traversal in LFS Upload</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13355">CVE-2020-13355</a>.</p>
<p>Thanks <a href="https://hackerone.com/saltyyolk">saltyyolk</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="path-traversal-allows-saving-packages-in-arbitrary-location">Path traversal allows saving packages in arbitrary location</h2>
<p>Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26405">CVE-2020-26405</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="kubernetes-agent-api-leaks-private-repos">Kubernetes agent API leaks private repos</h2>
<p>A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorised access to private projects. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13358">CVE-2020-13358</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="terraform-state-deletion-api-exposes-object-storage-url">Terraform state deletion API exposes object storage URL</h2>
<p>The Terraform API in GitLab CE/EE 12.10 and above exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13359">CVE-2020-13359</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-error-message-of-build-dependencies">Stored-XSS in error message of build-dependencies</h2>
<p>A stored XSS in CI Job Log has been discovered in GitLab CE/EE 12.4 and above. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13340">CVE-2020-13340</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="git-credentials-persisted-on-disk">Git credentials persisted on disk</h2>
<p>When importing repos via URL, one time use git credentials were persisted beyond the expected time windows in Gitaly 1.79.0 or above. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13353">CVE-2020-13353</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="potential-denial-of-service-via-container-registry">Potential Denial of service via container registry</h2>
<p>A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6 and above. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13354">CVE-2020-13354</a>.</p>
<p>Thanks <a href="https://hackerone.com/anyday">@anyday</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="info-leak-when-group-is-transferred-from-private-to-public-group">Info leak when group is transferred from private to public group.</h2>
<p>Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13352">CVE-2020-13352</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="limited-file-disclosure-via-multipart-bypass">Limited File Disclosure Via Multipart Bypass</h2>
<p>An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13356">CVE-2020-13356</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">ledz1996</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-user-is-able-to-access-scheduled-pipeline-variables-and-values">Unauthorized user is able to access scheduled pipeline variables and values</h2>
<p>Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13351">CVE-2020-13351</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">@vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="csrf-in-runner-administration-page-allows-an-attacker-to-pauseresume-runners">CSRF in runner administration page allows an attacker to pause/resume runners</h2>
<p>CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13350">CVE-2020-13350</a>.</p>
<p>Thanks <a href="https://hackerone.com/ngalog">@ngalog</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="regex-backtracking-attack-in-path-parsing-of-advanced-search-result">Regex backtracking attack in path parsing of Advanced Search result</h2>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 9.2. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13349">CVE-2020-13349</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="bypass-of-required-codeowners-approval">Bypass of required CODEOWNERS approval</h2>
<p>An issue has been discovered in GitLab EE affecting all versions starting from 11.9. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13348">CVE-2020-13348</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab team.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="sast-ciconfiguration-information-visible-without-permissions">SAST CiConfiguration information visible without permissions</h2>
<p>Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26406">CVE-2020-26406</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.4.2, 13.3.7 and 13.2.10https://about.gitlab.com/releases/2020/10/01/security-release-13-4-2-release/2020-10-01T00:00:00+00:002020-10-01T00:00:00+00:00Ron Chan<p>Today we are releasing versions 13.4.2, 13.3.7 and 13.2.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="potential-denial-of-service-via-update-release-links-api">Potential Denial Of Service Via Update Release Links API</h2>
<p>A potential DoS vulnerability was discovered in release api, certain user supplied values could rise the CPU usage. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13333">CVE-2020-13333</a>.</p>
<p>Thanks <a href="https://hackerone.com/anyday">@anyday</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab 13.1 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="insecure-storage-of-session-key-in-redis">Insecure Storage of Session Key In Redis</h2>
<p>Under certain condition an unauthorised user could read the Redis keys and use to obtain a valid session. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13344">CVE-2020-13344</a>.</p>
<p>Thanks <a href="https://gitlab.com/rabbitfang">@rabbitfang</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab 10.8 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-access-expiration-date-validation">Improper Access Expiration Date Validation</h2>
<p>It was possible for users to access projects with an expired access date. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13332">CVE-2020-13332</a>.</p>
<p>Thanks <a href="https://hackerone.com/henonoah">@henonoah</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab 8.11.0-rc6+ and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-multiple-pages">Cross-Site Scripting in Multiple Pages</h2>
<p>A reflected cross-site scripting was discovred in different pages. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13345">CVE-2020-13345</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab 10.8 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-users-can-view-custom-project-template">Unauthorized Users Can View Custom Project Template</h2>
<p>An unauthorised user was able to view private custom project template. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13343">CVE-2020-13343</a>.</p>
<p>Thanks <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab EE 11.2 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-svg-image-preview">Cross-Site Scripting in SVG Image Preview</h2>
<p>A stored cross-site scripting was found in SVG image preview. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13339">CVE-2020-13339</a>.</p>
<p>Thanks <a href="https://hackerone.com/aryan2808">@aryan2808</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab 12.10 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="incomplete-handling-in-account-deletion">Incomplete Handling in Account Deletion</h2>
<p>It was discovered that there was insufficient check before account deletion which allowed an account to be deleted while being the owner of a group. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13335">CVE-2020-13335</a>.</p>
<p>Thanks <a href="https://hackerone.com/brdoors3">@brdoors3</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab 7.12 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="insufficient-rate-limiting-at-re-sending-confirmation-email">Insufficient Rate Limiting at Re-Sending Confirmation Email</h2>
<p>It was discovered that there was insufficient rate-limiting at re-sending confirmatil email. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13342">CVE-2020-13341</a>.</p>
<p>Thanks <a href="https://gitlab.com/yuanchenlu">@yuanchenlu</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab 10.1.0 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-type-check-in-graphql">Improper Type Check in GraphQL</h2>
<p>It was discovered that due to an improper type check in GraphQL users with developer role were able to perform unauthorised actions. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13341">CVE-2020-13341</a>.</p>
<p>Thanks <a href="https://gitlab.com/ledz1996">@ledz1996</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab 13.1 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="to-dos-are-not-redacted-when-membership-changes">To-dos Are Not Redacted When Membership Changes</h2>
<p>It was discovered that after membership changes were applied, the to-do list was not redacted properly. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13346">CVE-2020-13346</a>.</p>
<p>Thanks <a href="https://gitlab.com/vaib25vicky">@vaib25vicky</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab 11.2 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="guest-users-can-modify-confidentiality-attribute">Guest users can modify confidentiality attribute</h2>
<p>It was discovered that improper authorization checks allows a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13334">CVE-2020-13334</a>.</p>
<p>Thanks <a href="https://hackerone.com/0xwintermute">@0xwintermute</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab 8.6 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="command-injection-on-runner-host">Command injection on runner host</h2>
<p>It was discovered that improper validation of authorization configuration allowed arbitary command execution on windows runner host. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13347">CVE-2020-13347</a>.</p>
<p>Thanks <a href="https://hackerone.com/ajxchapman">@ajxchapman</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab Runner 12.0.0 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="insecure-runner-configuration-in-kubernetes-environments">Insecure Runner Configuration in Kubernetes Environments</h2>
<p>An internal investigation revealed a security issue in GitLab Runner configuration used with Kubernetes environments that could be used to perform a MitM(Man in the Middle) attack. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13327">CVE-2020-13327</a>.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab Runner 13.2, 13.3, 13.4 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<hr />
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.3.4, 13.2.8, and 13.1.10https://about.gitlab.com/releases/2020/09/02/security-release-gitlab-13-3-3-released/2020-09-02T00:00:00+00:002020-09-02T00:00:00+00:00Vitor Meireles De Sousa<h2 id="attention">Attention</h2>
<p>Versions 13.3.3, 13.2.7, and 13.1.9 were improperly packaged and did not contain
the security fixes outlined below. We've released 13.3.4, 13.2.8, and 13.1.10 to
correct the packaging error. See <a href="https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/1176">#1176</a> for
details and corrective actions on the packaging error.</p>
<hr />
<p>Today we are releasing versions 13.3.4, 13.2.8 and 13.1.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="vendor-cross-account-assume-role-attack">Vendor Cross-Account Assume-Role Attack</h2>
<p>GitLab EKS integration was vulnerable to a cross-account assume role attack which could allow privileged access and possibly AWS account takeover. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13318">CVE-2020-13318</a>.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab 8.9 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-on-the-vulnerability-page">Stored XSS on the Vulnerability Page</h2>
<p>GitLab was vulnerable to a stored XSS on the standalone vulnerability page. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13301">CVE-2020-13301</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab 13.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="outdated-job-token-can-be-reused-to-access-unauthorized-resources">Outdated Job Token Can Be Reused to Access Unauthorized Resources</h2>
<p>GitLab was not validating that job tokens were associated with running jobs. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13284">CVE-2020-13284</a>.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab 11.3 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="file-disclosure-via-workhorse-file-upload-bypass">File Disclosure Via Workhorse File Upload Bypass</h2>
<p>Conan package upload functionality was not properly validating the supplied parameters, which resulted the limited files disclosure. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13298">CVE-2020-13298</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">ledz1996</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab 13.0 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-maintainer-can-edit-group-badge">Unauthorized Maintainer Can Edit Group Badge</h2>
<p>An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13313">CVE-2020-13313</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-within-wiki-functionality">Denial of Service Within Wiki Functionality</h2>
<p>An internal investigation revealed that GitLab's Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13311">CVE-2020-13311</a>.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects all GitLab versions prior 13.0.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="sign-in-vulnerable-to-brute-force-attacks">Sign-in Vulnerable to Brute-force Attacks</h2>
<p>GitLab was vulnerable to brute-force attacks due to an improper handling of sign-in parameters. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13289">CVE-2020-13289</a>.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab 8.7 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="invalidated-session-allows-account-access-with-an-old-password">Invalidated Session Allows Account Access With an Old Password</h2>
<p>Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13302">CVE-2020-13302</a>.</p>
<p>Thanks <a href="https://hackerone.com/rogov">rogov</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab 7.11 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="gitlab-omniauth-endpoint-renders-user-controlled-messages">GitLab Omniauth Endpoint Renders User Controlled Messages</h2>
<p>GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13314">CVE-2020-13314</a>.</p>
<p>Thanks <a href="https://hackerone.com/h33t">h33t</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab 7.1 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="blind-ssrf-through-repository-mirroring">Blind SSRF Through Repository Mirroring</h2>
<p>GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13309">CVE-2020-13309</a>.</p>
<p>Thanks <a href="https://hackerone.com/sky003">sky003</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="information-disclosure-through-incorrect-group-permission-verifications">Information Disclosure Through Incorrect Group Permission Verifications</h2>
<p>GitLab was vulnerable to information disclosure by not performing proper verification on permissions for confidential epics. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13287">CVE-2020-13287</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab 13.0 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="no-rate-limit-on-gitlab-webhook-feature">No Rate Limit on GitLab Webhook Feature</h2>
<p>GitLab Webhook feature could be abused to perform denial of service attacks due to the lack of rate limitation. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13306">CVE-2020-13306</a>.</p>
<p>Thanks <a href="https://hackerone.com/noddyn12">noddyn12</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="gitlab-session-revocation-feature-does-not-invalidate-all-sessions">GitLab Session Revocation Feature Does Not Invalidate All Sessions</h2>
<p>The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13299">CVE-2020-13299</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="oauth-authorization-scope-for-an-external-application-can-be-changed-without-user-consent">OAuth Authorization Scope for an External Application Can Be Changed Without User Consent</h2>
<p>GitLab was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13300">CVE-2020-13300</a>.</p>
<p>Thanks fushbey for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab 13.3 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-maintainer-can-delete-repository">Unauthorized Maintainer Can Delete Repository</h2>
<p>A project Maintainer was able to delete a repository through GraphQL due to insufficient verification of permissions. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13317">CVE-2020-13317</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">ledz1996</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab 12.6 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-verification-of-deploy-key-leads-to-access-restricted-repository">Improper Verification of Deploy-Key Leads to Access Restricted Repository</h2>
<p>Due to improper verification of permissions, an unauthorized user can access a private repository within a public project. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13303">CVE-2020-13303</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">ledz1996</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disabled-repository-still-accessible-with-a-deploy-token">Disabled Repository Still Accessible With a Deploy-Token</h2>
<p>GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13316">CVE-2020-13316</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">vaib25vicky</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="duplicated-secret-code-generated-by-2-factor-authentication-mechanism">Duplicated Secret Code Generated by 2 Factor Authentication Mechanism</h2>
<p>Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13304">CVE-2020-13304</a>.</p>
<p>Thanks <a href="https://hackerone.com/rgupt">rgupt</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="lack-of-validation-within-project-invitation-flow">Lack of Validation Within Project Invitation Flow</h2>
<p>GitLab was not invalidating project invitation link upon removing a user from a project. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13305">CVE-2020-13305</a>.</p>
<p>Thanks <a href="https://hackerone.com/rgupt">rgupt</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-18">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-18">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="current-sessions-not-invalidated-upon-enabling-2-factor-authentication">Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication</h2>
<p>GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13307">CVE-2020-13307</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-19">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-19">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="users-without-2-factor-authentication-can-be-blocked-accessing-gitlab">Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab</h2>
<p>A user without 2 factor authentication enabled could be prohibited from accessing GitLab by being invited into a project that had 2 factor authentication inheritance. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13308">CVE-2020-13308</a>.</p>
<p>Thanks marshall0705 for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-20">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-20">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="lack-of-upper-bound-check-leading-to-possible-denial-of-service">Lack of Upper Bound Check Leading to Possible Denial of Service</h2>
<p>The profile activity page was not restricting the amount of results one could request, potentially resulting in a denial of service. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13315">CVE-2020-13315</a>.</p>
<p>Thanks <a href="https://hackerone.com/brandonnnn">brandonnnn</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-21">Versions Affected</h3>
<p>Affects GitLab 11.4 and later.</p>
<h3 id="remediation-21">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="2-factor-authentication-for-groups-was-not-enforced-within-api-endpoint">2 Factor Authentication for Groups Was Not Enforced Within API Endpoint</h2>
<p>When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13297">CVE-2020-13297</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-22">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-22">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="gitlab-runner-denial-of-service-via-ci-jobs">GitLab Runner Denial of Service via CI Jobs</h2>
<p>It was possible to make the gitlab-runner process crash by sending malformed queries, resulting in a denial of service. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13310">CVE-2020-13310</a>.</p>
<h3 id="versions-affected-23">Versions Affected</h3>
<p>Affects all previous versions of GitLab Runner.</p>
<h3 id="remediation-23">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-websocket-extensions-gem">Update websocket-extensions Gem</h2>
<p>The websocket-extensions gem has been upgraded to 0.1.5. This upgrade includes a security fix for <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-7663">CVE-2020-7663</a>.</p>
<h2 id="update-jquery-dependency">Update jQuery Dependency</h2>
<p>The jQuery dependency has been upgraded to 3.5 . This upgrade includes a security fix for <a href="https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2">CVE-2020-11022</a></p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 13.2.6, 13.1.8, 13.0.14https://about.gitlab.com/releases/2020/08/18/critical-security-release-gitlab-13-2-6-released/2020-08-18T00:00:00+00:002020-08-18T00:00:00+00:00Costel Maxim<p>Note: due to a packaging problem, our previous release (<a href="/releases/2020/08/18/critical-security-release-gitlab-13-2-5-released/">published and communicated earlier today/Aug 18</a>) did not include the security fixes mentioned in the accompanying blog post for the GitLab Community Edition package. The new, just released versions of GitLab Enterprise Edition and GitLab Community Edition now contain all the necessary fixes for all versions. Please update all packages immediately.
***</p>
<p>Today we are releasing versions 13.2.6, 13.1.8, 13.0.14 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="deploy-token-access-control">Deploy Token Access Control</h3>
<p>An authorization issue discovered in the deploy token handling allowed read access to public projects with restricted repositories. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13296">CVE-2020-13296</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">@ledz1996</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 10.7 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 13.2.5, 13.1.7, 13.0.13https://about.gitlab.com/releases/2020/08/18/critical-security-release-gitlab-13-2-5-released/2020-08-18T00:00:00+00:002020-08-18T00:00:00+00:00Costel Maxim<h3 id="update-as-of-1700-utc-august-18-2020-both-our-gitlab-enterprise-edition-and-gitlab-community-edition-versions-contain-all-of-the-fixes-listed-below--the-related-blog-post-with-new-version-numbers-is-here">Update: As of 17:00 UTC, August 18, 2020 both our GitLab Enterprise Edition and GitLab Community Edition versions contain all of the fixes listed below. The related blog post with new version numbers is <a href="/releases/2020/08/18/critical-security-release-gitlab-13-2-6-released/">here</a>.</h3>
<p><del><strong>Due to a packaging problem, the GitLab Community Edition packages do not include the security fixes mentioned in this blog post. We are currently working on releasing new versions of both our GitLab Enterprise Edition and GitLab Community Edition, to ensure both contain all the necessary fixes. We will publish a separate blog post when these packages have been published.</strong></del></p>
<p>Today we are releasing versions 13.2.5, 13.1.7, 13.0.13 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h3 id="deploy-token-access-control">Deploy Token Access Control</h3>
<p>An authorization issue discovered in the deploy token handling allowed read access to public projects with restricted repositories. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">@ledz1996</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 10.7 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.2.3, 13.1.6 and 13.0.12https://about.gitlab.com/releases/2020/08/05/gitlab-13-2-3-released/2020-08-05T00:00:00+00:002020-08-05T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 13.2.3, 13.1.6 and 13.0.12 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="previously-fixed-in-1291-arbitrary-file-read-when-moving-an-issue">Previously fixed (in 12.9.1): Arbitrary File Read when Moving an Issue</h2>
<p>Recently, a GitLab user posted a blog about the exploitation of a known vulnerability which has been previously disclosed and assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10977">CVE-2020-10977</a>. GitLab EE/CE 8.5 to 12.9 is vulnerable to a path traversal when moving an issue between projects.</p>
<p>This issue was remediated and patched in the <a href="https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/">12.9.1 release</a> in March 2020.</p>
<p>We strongly recommend that all users confirm they are running the latest version of GitLab to ensure they are up-to-date with current security releases. Users should update immediately if possible. If upgrading immediately is not possible for some reason, public registration should be disabled.</p>
<h2 id="memory-exhaustion-via-excessive-logging-of-invite-email-error">Memory Exhaustion via Excessive Logging of Invite Email Error</h2>
<p>Excessive error logging related to an invitation email being sent to members of a deleted group could potentially cause memory exhaustion on lower resource machines. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13280">CVE-2020-13280</a>.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-through-project-import-feature">Denial of Service Through Project Import Feature</h2>
<p>The project import feature did not perform size checks before decompressing data, potentially resulting in a denial of service. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13281">CVE-2020-13281</a>.</p>
<p>Thanks <a href="https://hackerone.com/u3mur4">@u3mur4</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab 8.9 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="user-controlled-git-configuration-settings-resulting-in-ssrf">User Controlled Git Configuration Settings Resulting in SSRF</h2>
<p>When importing a repository via URL, the git <code>http.<url>.proxy</code> setting could be changed and lead to server-side request forgery. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13286">CVE-2020-13286</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab 12.7 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-issue-reference-number-tooltip">Stored XSS in Issue Reference Number Tooltip</h2>
<p>For some browsers, the tooltip for issue reference numbers could result in stored XSS on mouseover. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13285">CVE-2020-13285</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">@yvvdwf</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE 12.9 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-issues-list-via-milestone-title">Stored XSS in Issues List via Milestone Title</h2>
<p>The milestone title field can lead to stored XSS when viewed under certain conditions on the issue list. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13283">CVE-2020-13283</a>.</p>
<p>Thanks <a href="https://hackerone.com/mike12">@mike12</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab 10.8 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-access-control-after-group-transfer">Improper Access Control After Group Transfer</h2>
<p>Members of a parent group silently and unexpectedly maintained their access levels when a subgroup is transferred. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13282">CVE-2020-13282</a>.</p>
<p>Thanks <a href="https://hackerone.com/kryword">@kryword</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="bypass-email-verification-required-for-oauth-flow">Bypass Email Verification Required for OAuth Flow</h2>
<p>The required email verification for the OAuth authorization code flow could be bypassed, which potentially could affect third party applications that use GitLab as an identity provider. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13292">CVE-2020-13292</a>.</p>
<p>Thanks <a href="https://hackerone.com/cache-money">@cache-money</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="confusion-when-using-hexadecimal-branch-names">Confusion When Using Hexadecimal Branch Names</h2>
<p>Using a branch with a hexadecimal name could override an existing hash. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13293">CVE-2020-13293</a>.</p>
<p>Thanks <a href="https://hackerone.com/retroplasma">@retroplasma</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="insufficient-oauth-revocation">Insufficient OAuth Revocation</h2>
<p>Access grants were not revoked when a user revoked access to an application. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13294">CVE-2020-13294</a>.</p>
<p>Thanks <a href="https://hackerone.com/benaubin">@benaubin</a>, <a href="https://hackerone.com/whitehattushu">@whitehattushu</a>, and <a href="https://hackerone.com/lauritz">@lauritz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab 7.7 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-access-control-for-project-sharing">Improper Access Control for Project Sharing</h2>
<p>Project sharing could temporarily allow too permissive access. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13291">CVE-2020-13291</a>.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab 13.2 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-jobs-page">Stored XSS in Jobs Page</h2>
<p>A stored XSS was identified in the CI/CD Jobs page. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13288">CVE-2020-13288</a>.</p>
<p>Thanks <a href="https://hackerone.com/mike12">@mike12</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab 13.0 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-access-control-of-applications-page">Improper Access Control of Applications Page</h2>
<p>Users without two-factor authentication set up can still access the <code>/profile/applications</code> page even when two-factor authentication is required. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13290">CVE-2020-13290</a>.</p>
<p>Thanks <a href="https://hackerone.com/brdoors3">@brdoors3</a> for responsibly reporting this vulnerability to us and <a href="https://hackerone.com/melar_dev">@melar_dev</a> for providing additional important details.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab 8.4 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="ssrf-into-shared-runner">SSRF into Shared Runner</h2>
<p>By replacing dockerd with a malicious server, a SSRF was possible into the Shared Runner. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13295">CVE-2020-13295</a>.</p>
<p>Thanks <a href="https://hackerone.com/lucash-dev">@lucash-dev</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects all versions of GitLab Runner.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations of <strong>GitLab Runner</strong> are <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">upgraded</a> to the latest version as soon as possible.</p>
<h2 id="update-kramdown-gem">Update Kramdown Gem</h2>
<p>The kramdown gem has been upgraded to 2.3.0. This upgrade include a security fix for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001">CVE-2020-14001</a>.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab 13.2 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.
To update Gitlab Runner, see the <a href="https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner">Updating the Runner page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 13.1.3, 13.0.9 and 12.10.14https://about.gitlab.com/releases/2020/07/06/critical-security-release-gitlab-13-1-3-released/2020-07-06T00:00:00+00:002020-07-06T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 13.1.3, 13.0.9 and 12.10.14 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="workhorse-bypass-allows-files-in-tmp-to-be-read-via-maven-repository-apis">Workhorse bypass allows files in /tmp to be read via Maven Repository APIs</h2>
<p>The Maven package upload endpoint could be used to override restrictions and result in the GitLab Workhorse disclosing the existence and contents of files in the <code>/tmp</code> directory. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15525">CVE-2020-15525</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">@ledz1996</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 11.3 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h3 id="maven-package-upload-broken-in-121014">Maven package upload broken in 12.10.14</h3>
<p>The fix for this security issue caused a regression in the 12.10 code base. Uploading Maven packages no longer works, generating the error <code>400 Bad Request</code>.</p>
<p>For more information, see <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/229482">the issue</a>.</p>
<p>The GitLab Maven Repository is a Premium feature in GitLab 12.10. Premium and Ultimate customers running GitLab 12.10 who use the Maven Repository feature should upgrade to 13.0.9 or higher.</p>
<p>Our documented upgrade path from 12.10 to 13.x specifies that the last 12.10 patch release should be one of the steps. This is to ensure that any code updates required for upgrading are installed. Customers using the Maven Repository would be advised to use 12.10.13 as the last 12.10 patch release, and upgrade to a 13.0.9 or higher as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.1.2, 13.0.8 and 12.10.13https://about.gitlab.com/releases/2020/07/01/security-release-13-1-2-release/2020-07-01T00:00:00+00:002020-07-01T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 13.1.2, 13.0.8 and 12.10.13 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="missing-permission-check-on-time-tracking">Missing Permission Check on Time Tracking</h2>
<p>It was possible to add time spent on a issue without being a project member. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13319">CVE-2020-13319</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 12.8 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-pypi-files-api">Cross-Site Scripting in PyPi Files API</h2>
<p>Under certain conditions, requests involving the PyPi files API could result in an XSS vulnerability. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13328">CVE-2020-13328</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE 13.1 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="insecure-authorization-check-on-private-project-security-dashboard">Insecure Authorization Check on Private Project Security Dashboard</h2>
<p>Under certain conditions, a project member with Guest permissions was allowed to view the project security dashboard.This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13320">CVE-2020-13320</a>.</p>
<p>Thanks <a href="https://hackerone.com/vaib25vicky">@vaib25vicky</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab EE 12.8 to 13.1.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-references">Cross-Site Scripting in References</h2>
<p>A stored cross-site scripting vulnerability was discovered when editing references. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13338">CVE-2020-13338</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE 8.10.0 to 13.1.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-group-names">Cross-Site Scripting in Group Names</h2>
<p>An internal investigation revealed that Group Names could be used to store XSS payloads. TThis issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13337">CVE-2020-13327</a>.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab EE 12.10 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-blob-viewer">Cross-Site Scripting in Blob Viewer</h2>
<p>A stored XSS vulnerability was discovered in the blob viewer feature. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13329">CVE-2020-13329</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">@yvvdwf</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab EE 12.6 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-error-tracking">Cross-Site Scripting in Error Tracking</h2>
<p>A stored cross-site scripting payload could be injected in the Error Tracking page. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13336">CVE-2020-13336</a>.</p>
<p>Thanks <a href="https://hackerone.com/mike12">@mike12</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab EE 12.10 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="insecure-authorisation-check-on-creation-and-deletion-of-deploy-tokens">Insecure Authorisation Check on Creation and Deletion of Deploy Tokens</h2>
<p>An insecure authorization check allowed project members with Maintainer role to create and delete deploy tokens. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13322">CVE-2020-13322</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab EE 12.9 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="user-name-format-restiction-bypass">User Name Format Restiction Bypass</h2>
<p>Username format restrictions could be bypassed allowing for html tags to be added. TThis issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13321">CVE-2020-13321</a>.</p>
<p>Thanks <a href="https://hackerone.com/zseano">@zseano</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects all versions of GitLab.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-in-issue-comments">Denial of Service in Issue Comments</h2>
<p>A denial of service vulnerability involving the comments on an issue was discovered. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13325">CVE-2020-13325</a>.</p>
<p>Thanks @tiradorngpilipinas for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab EE 12.9 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-wiki-pages">Cross-Site Scripting in Wiki Pages</h2>
<p>A stored cross-site scripting vulnerability was discovered in the Wiki upload feature. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13331">CVE-2020-13331</a>.</p>
<p>Thanks <a href="https://hackerone.com/semsem123">@semsem123</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab EE 12.10 and older.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-merge-request-updates-leaked-via-todos">Private Merge Request Updates Leaked via Todos</h2>
<p>An internal investigation revealed that updates to private merge requests could be disclosed to removed project members. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13323">CVE-2020-13323</a>.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects all versions of GitLab.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-user-activity-leaked-via-api">Private User Activity Leaked via API</h2>
<p>Under certain conditions the private activty of an user could be exposed via the API. TThis issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13324">CVE-2020-13324</a>.</p>
<p>Thanks <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab EE 9.4 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-bitbucket-import-feature">Cross-Site Scripting in Bitbucket Import Feature</h2>
<p>A stored XSS vulnerability could be exploited using the Bitbucket project import feature. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13330">CVE-2020-13330</a>.</p>
<p>Thanks <a href="https://hackerone.com/saltyyolk">@saltyyolk of Chaitin Tech</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab 11.2 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="github-project-restriction-bypass">Github Project Restriction Bypass</h2>
<p>It was possible to bypass the restriction of importing projects from Github via the API. This issue is now mitigated in the latest release and is assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13326">CVE-2020-13326</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab 11.8 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-pcre-dependency">Update PCRE Dependency</h2>
<p>The lippcre in PCRE has been upgraded from 8.42 to 8.44. This upgrade includes a security fix for CVE-2020-14155.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects all previous versions of GitLab Omnibus.</p>
<h2 id="update-kaminari-gem">Update Kaminari Gem</h2>
<p>Using Kaminari before 1.2.1, an attacker could inject arbitrary code into pages with pagination links. This upgrade includes a security fix for CVE-2020-11082.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects all previous versions of GitLab Omnibus.</p>
<h2 id="update-xtermjs">Update Xterm.js</h2>
<p>A remote code execution exists in xterm.js before 3.9.2. This upgrade includes a security fix for CVE-2019-0542.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects all previous versions of GitLab Omnibus.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 13.0.6, 12.10.11, 12.9.10https://about.gitlab.com/releases/2020/06/10/critical-security-release-13-0-6-released/2020-06-10T00:00:00+00:002020-06-10T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 13.0.6, 12.10.11, 12.9.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="https://about.gitlab.com/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="ci-token-access-control">CI Token Access Control</h2>
<p>An authorization issue discovered in the mirroring logic allowed read access to private repositories. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13277">CVE-2020-13277</a>.</p>
<p>Thanks to <a href="https://hackerone.com/u3mur4">@u3mur4</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 10.6 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 13.0.4, 12.10.9, 12.9.9https://about.gitlab.com/releases/2020/06/03/critical-security-release-13-0-4-released/2020-06-03T00:00:00+00:002020-06-03T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 13.0.4, 12.10.9, 12.9.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more <a href="https://about.gitlab.com/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="ci-token-access-control">CI Token Access Control</h2>
<p>An authorization issue discovered in the CI jobs token handling allowed read access to public projects with restricted repositories. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.</p>
<p>Thanks to <a href="https://hackerone.com/u3mur4">@u3mur4</a> and @enumzero for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 10.6+ and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 13.0.1, 12.10.7, 12.9.8https://about.gitlab.com/releases/2020/05/27/security-release-13-0-1-released/2020-05-27T00:00:00+00:002020-05-27T00:00:00+00:00Juan Broullon<p>Today we are releasing versions 13.0.1, 12.10.7, 12.9.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>GitLab releases patches for vulnerabilities in dedicated security releases. There are <a href="/security/#gitlab-security-releases">two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts <a href="/releases/categories/releases/">here</a>. In addition, the issues detailing each vulnerability are made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> 30 days after the release in which they were patched.</p>
<p>We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to at least the latest security release for their supported version. You can read more <a href="https://about.gitlab.com/blog/gitlab-instance-security-best-practices/">best practices in securing your GitLab instance</a> in our blog post.</p>
<h2 id="user-email-verification-bypass">User Email Verification Bypass</h2>
<p>A security issue allowed users to bypass the email verification process. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13265">CVE-2020-13265</a>.</p>
<p>Thanks to <a href="https://hackerone.com/zapprising">@zapprising</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.5 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="oauth-flow-missing-email-verification-checks">OAuth Flow Missing Email Verification Checks</h2>
<p>A vulnerability allowed unverified users to use OAuth authorization code flow, which could potentially affect third party applications that use GitLab as an identity provider. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13272">CVE-2020-13272</a>.</p>
<p>Thanks to <a href="https://hackerone.com/peet86">@peet86</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.3+ and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="notification-email-verification-bypass">Notification Email Verification Bypass</h2>
<p>A vulnerability was identified that allowed users to set an unverified email address as notification email. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13276">CVE-2020-13276</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rgupt">@rgupt</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="server-side-request-forgery-in-grafana">Server-Side Request Forgery in Grafana</h2>
<p>A vulnerability in Grafana allowed unauthenticated users to send HTTP requests to internal network resources and read their responses. Further details are available <a href="https://grafana.com/blog/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/">on the Grafana blog</a>. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13379">CVE-2020-13379</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rhynorater">@rhynorater</a> and <a href="https://hackerone.com/nnwakelam">@nnwakelam</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE/CE 11.9 and later</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="group-sign-up-restriction-bypass">Group Sign-Up Restriction Bypass</h2>
<p>A user with an unverified address within the restricted domain could request access to domain restricted groups. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13275">CVE-2020-13275</a>.</p>
<p>Thanks to <a href="https://hackerone.com/izzsec">@izzsec</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab EE/CE 12.2 and later</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="mirror-project-owner-impersonation">Mirror Project Owner Impersonation</h2>
<p>A security issue related to mirror project deletions could lead to the impersonation of its owner. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13263">CVE-2020-13263</a>.</p>
<p>Please note that the edit project API endpoint has been restricted and only admin users have the ability to set the <code>mirror_user_id</code></p>
<p>Thanks to <a href="https://hackerone.com/sky003">@sky003</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab EE 9.5 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="missing-permission-check-on-fork-relation-creation">Missing Permission Check on Fork Relation Creation</h2>
<p>A missing security check allowed guest users to create a fork relation on restricted public projects. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13270">CVE-2020-13270</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-in-repository-files-api">Cross-Site Scripting in Repository Files API</h2>
<p>Under certain conditions, requests involving the repository files API could result in an XSS vulnerability. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13271">CVE-2020-13271</a>.</p>
<p>Thanks <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects all previous GitLab EE versions.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="kubernetes-cluster-token-disclosure">Kubernetes Cluster Token Disclosure</h2>
<p>A security issue made the Kubernetes cluster token visible to other group maintainers. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13264">CVE-2020-13264</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE between 10.3 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="object-storage-file-enumeration">Object Storage File Enumeration</h2>
<p>A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13268">CVE-2020-13268</a>.</p>
<p>Thanks <a href="https://hackerone.com/ledz1996">@ledz1996</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.10 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="insecure-authorization-check-on-project-deploy-keys">Insecure Authorization Check on Project Deploy Keys</h2>
<p>An insecure authorization check allowed updating permissions of other users' deploy keys under certain conditions. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13266">CVE-2020-13266</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab Security Team.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.8 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-on-metrics-dashboard">Cross-Site Scripting on Metrics Dashboard</h2>
<p>A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13267">CVE-2020-13267</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.8 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-on-custom-dashboards">Denial of Service on Custom Dashboards</h2>
<p>A security issue enabled denial of service attacks via memory exhaustion. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13273">CVE-2020-13273</a>.</p>
<p>This vulnerability was discovered internally by the GitLab team.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="client-side-code-injection-through-mermaid-markup">Client-Side Code Injection through Mermaid Markup</h2>
<p>A specially crafted Mermaid payload allowed performing PUT requests on behalf of other users when clicking on a link. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13262">CVE-2020-13262</a>.</p>
<p>Thanks <a href="https://hackerone.com/yvvdwf">@yvvdwf</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.9 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-on-static-site-editor">Cross-Site Scripting on Static Site Editor</h2>
<p>A Reflected Cross-Site Scripting has been discovered on the Static Site Editor. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13269">CVE-2020-13269</a>.</p>
<p>Thanks <a href="https://hackerone.com/bull">@bull</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.10 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-amazon-eks-credentials">Disclosure of Amazon EKS Credentials</h2>
<p>Amazon EKS Credentials were disclosed to other administrators of an instance through HTML source code. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13261">CVE-2020-13261</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.6 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-on-workhorse">Denial of Service on Workhorse</h2>
<p>A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13274">CVE-2020-13274</a>.</p>
<p>This vulnerability has been discovered internally by the GitLab Team.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-ruby">Update Ruby</h2>
<p>Ruby upgrades to version 2.6.6 have been backported to previous versions of GitLab. This upgrade includes security fixes for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130">CVE-2020-8130</a>.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0 and later.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.10.2, 12.9.5, 12.8.10https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/2020-04-30T00:00:00+00:002020-04-30T00:00:00+00:00Dominic Couture<p>Today we are releasing versions 12.10.2, 12.9.5, 12.8.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="path-traversal-in-nuget-package-registry">Path Traversal in NuGet Package Registry</h2>
<p>It was possible to use a malicious NuGet package to read any <code>*.nupkg</code> file on the system. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12448">CVE-2020-12448</a>.</p>
<p>Thanks <a href="https://hackerone.com/saltyyolk">@saltyyolk of Chaitin Tech</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 12.8 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="workhorse-bypass-leads-to-file-disclosure">Workhorse Bypass Leads to File Disclosure</h2>
<p>A specially crafted request could bypass the GitLab Workhorse and read files in certain specific paths on the server. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12448">CVE-2020-12448</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE/CE 11.5 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="oauth-application-client-secrets-revealed">OAuth Application Client Secrets Revealed</h2>
<p>A vulnerability allowed any user to retrieve OAuth application client secrets after authorizing. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10187">CVE-2020-10187</a>.</p>
<p>Thanks <a href="https://hackerone.com/stefansundin">@stefansundin</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab EE/CE 12.8 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible. Additionally, the OAuth client secrets should be rotated if your HTTP logs show that the <code>/oauth/authorized_applications.json</code> path has been accessed.</p>
<h2 id="code-owners-approval-rules-are-not-updated-for-existing-merge-requests-when-source-branch-changes">Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes</h2>
<p>It was possible to bypass code owners approval by committing changes in a specific order. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12449">CVE-2020-12449</a>.</p>
<p>Thanks <a href="https://gitlab.com/nathanielwyliet">@nathanielwyliet</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE 12.6 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="code-owners-protection-not-enforced-from-web-ui">Code Owners Protection Not Enforced from Web UI</h2>
<p>It was possible to bypass code owners approval by committing changes through the web interface. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12451">CVE-2020-12451</a>.</p>
<p>Thanks <a href="https://gitlab.com/zane.wright">@zane.wright</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab EE 12.9 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="repository-mirror-passwords-exposed-to-maintainers">Repository Mirror Passwords Exposed To Maintainers</h2>
<p>When a maintainer deleted a repository mirror, the HTTP response contained the passwords set for the other mirrors on the same repository. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12450">CVE-2020-12450</a>.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab EE/CE 11.6 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="admin-audit-log-page-denial-of-service">Admin Audit Log Page Denial of Service</h2>
<p>A specific API call could make the admin audit log page inaccessible. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12452">CVE-2020-12452</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab EE 12.7 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-project-id-revealed-through-group-api">Private Project ID Revealed Through Group API</h2>
<p>If a public group contained a private project that was used as a template, its ID was revealed in the group API. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12453">CVE-2020-12453</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab EE 11.5 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="elasticsearch-credentials-logged-to-elk">Elasticsearch Credentials Logged to ELK</h2>
<p>The data logged in ELK after modifying the Elasticsearch integration through the admin setting page contained credentials. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12454">CVE-2020-12454</a>.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab EE 8.4 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="github-personal-access-token-exposed-on-integrations-page">GitHub Personal Access Token Exposed on Integrations Page</h2>
<p>The GitHub Personal Access Token field was not masked on the integration settings page. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12455">CVE-2020-12455</a>.</p>
<p>Thanks <a href="https://gitlab.com/kylifornication">@kylifornication</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab EE 10.6 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-nokogiri-dependency-in-gitaly">Update Nokogiri dependency in Gitaly</h2>
<p>The Nokogiri dependency has been upgraded to 1.10.9 in Gitaly. This upgrade includes a security fix for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7595">CVE-2020-7595</a>.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects all previous versions of GitLab CE/EE.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-openssl-dependency">Update OpenSSL Dependency</h2>
<p>The OpenSSL dependency has been upgraded from 1.1.1f to 1.1.1g. This upgrade includes a security fix for <a href="https://www.openssl.org/news/secadv/20200421.txt">CVE-2020-1967</a>.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab Omnibus 12.4 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-git">Update git</h2>
<p>git has been updated to version 2.24.3. This upgrade includes a security fix for <a href="https://lore.kernel.org/git/xmqq4kterq5s.fsf@gitster.c.googlers.com/">CVE-2020-11008</a>.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects all previous versions of GitLab Omnibus.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.9.3, 12.8.9, and 12.7.9https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/2020-04-14T00:00:00+00:002020-04-14T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 12.9.3, 12.8.9, and 12.7.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>NOTE: The GPG keys used to sign GitLab packages has changed. If you see
errors due to signature verification or GPG errors, be sure to
update these public keys. See <a href="https://about.gitlab.com/blog/gpg-key-for-gitlab-package-repositories-metadata-changing/">this blog post</a>
for more details.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="nuget-package-and-file-disclosure-through-gitlab-workhorse">NuGet Package and File Disclosure through GitLab Workhorse</h2>
<p>An internal investigation revealed that a particular header could be used to override restriction and results in GitLab Workhorse disclosing NuGet packages and files in the <code>/tmp</code> directory. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11505">CVE-2020-11505</a>.</p>
<p>Thanks to <a href="https://hackerone.com/vakzz">@vakzz</a> for also responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 12.8.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="job-artifact-uploads-and-file-disclosure-through-gitlab-workhorse">Job Artifact Uploads and File Disclosure through GitLab Workhorse</h2>
<p>An internal investigation revealed that a particular header could be used to override restrictions and results in GitLab Workhorse disclosing job artifact uploads and files in the <code>/tmp</code> directory. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11506">CVE-2020-11506</a>.</p>
<p>Thanks to <a href="https://hackerone.com/manassehzhou">@manassehzhou</a> for also responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE/CE 10.7.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="incorrect-membership-following-group-removal">Incorrect membership following group removal</h2>
<p>An internal investigation revealed that members of a group could still have access after a group is deleted. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11649">CVE-2020-11649</a>.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab EE/CE 8.15 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="logging-of-praefect-tokens">Logging of Praefect tokens</h2>
<p>An internal investigation revealed that Praefect tokens were logged by Gitaly. The issue is now fixed.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab Omnibus 12.3 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-rack-dependency">Update Rack dependency</h2>
<p>The Rack dependency and its related gems have been upgraded to 2.0.9. This upgrade includes a security fix for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782">CVE-2019-16782</a>.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects all previous versions of GitLab CE/EE.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-openssl-dependency">Update OpenSSL dependency</h2>
<p>The OpenSSL dependency has been upgraded from 1.1.d to 1.1.1f to include those <a href="https://www.openssl.org/news/changelog.html#openssl-111">improvements</a>.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects all previous versions of GitLab Omnibus.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.9.1, 12.8.8, and 12.7.8https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/2020-03-26T00:00:00+00:002020-03-26T00:00:00+00:00Vitor Meireles De Sousa<p>Today we are releasing versions 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="arbitrary-file-read-when-moving-an-issue">Arbitrary File Read when Moving an Issue</h2>
<p>An arbitrary local file read was possible when an moving issues between projects. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10977">CVE-2020-10977</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE/CE 8.5 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="path-traversal-in-npm-package-registry">Path Traversal in NPM Package Registry</h2>
<p>The NPM package registry was vulnerable to a path traversal issue. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10953">CVE-2020-10953</a>.</p>
<p>Thanks to <a href="https://hackerone.com/saltyyolk">@saltyyolk</a> of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE 11.7 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="ssrf-on-project-import">SSRF on Project Import</h2>
<p>An SSRF issue was discovered in the project import note feature. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10956">CVE-2020-10956</a>.</p>
<p>Thanks <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab 8.10 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="external-users-can-create-personal-snippet">External Users Can Create Personal Snippet</h2>
<p>Insufficient access verification lead to unauthorized creation of personal snippets through the API by an external user. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12275">CVE-2020-12275</a>.</p>
<p>Thanks the GitLab team for finding and reporting this issue.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE/CE 12.6 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="triggers-decription-can-be-updated-by-other-maintainers-in-project">Triggers Decription Can be Updated by Other Maintainers in Project</h2>
<p>A maintainer can modify other maintainers' pipeline trigger descriptions within the same project. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10981">CVE-2020-10981</a>.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab EE/CE 9.0 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="information-disclosure-on-confidential-issues-moved-to-private-programs">Information Disclosure on Confidential Issues Moved to Private Programs</h2>
<p>Issues opened in a public project and then moved to a private project reveal the private project namespace through Web-UI and GraphQL API. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10978">CVE-2020-10978</a>.</p>
<p>Thanks <a href="https://hackerone.com/0xwintermute">@0xwintermute</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab EE/CE 8.11 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="potential-dos-in-repository-archive-download">Potential DoS in Repository Archive Download</h2>
<p>Repository archives download could be abused to cause large resource consumption on an instance. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10954">CVE-2020-10954</a>.</p>
<p>Thanks the GitLab team for finding and reporting this issue.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects all previous versions of GitLab CE/EE.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="blocked-users-can-still-pullpush-docker-images">Blocked Users Can Still Pull/Push Docker Images</h2>
<p>Under certain circumstances a blocked user still had the ability to pull images from the internal container registry of any projects to which the user had access. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10952">CVE-2020-10952</a>.</p>
<p>Thanks <a href="https://hackerone.com/logan5">@logan5</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab EE/CE 8.11 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="repository-mirroring-not-disabled-when-feature-not-activated">Repository Mirroring not Disabled when Feature not Activated</h2>
<p>A project repository could still be mirrored when the feature was not enabled. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12277">CVE-2020-12277</a>.</p>
<p>Thanks <a href="https://hackerone.com/adam__b">@adam__b</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab EE/CE 10.8 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="vulnerability-feedback-page-was-leaking-information-on-vulnerabilities">Vulnerability Feedback Page Was Leaking Information on Vulnerabilities</h2>
<p>The vulnerability feedback page was leaking metadata and comments on vulnerabilities to unauthorized users. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10975">CVE-2020-10975</a> .</p>
<p>Thanks <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab EE/CE 10.8 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-vulnerability-in-admin-feature">Stored XSS Vulnerability in Admin Feature</h2>
<p>A stored XSS vulnerability was discovered in an admin notification feature. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12276">CVE-2020-12276</a>.</p>
<p>Thanks the GitLab team for finding and reporting this issue.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab EE/CE 9.5.9 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="upload-feature-allowed-a-user-to-read-unauthorized-exported-files">Upload Feature Allowed a User to Read Unauthorized Exported Files</h2>
<p>The upload feature was vulnerable to parameter tampering allowing and unauthorized user to read content available under specific folders. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10955">CVE-2020-10955</a>.</p>
<p>Thanks <a href="https://hackerone.com/manassehzhou">@manassehzhou</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab EE/CE 11.1 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-users-are-able-to-see-ci-metrics">Unauthorized Users Are Able to See CI Metrics</h2>
<p>Restricted CI pipelines metrics could be seen by members even if the pipeline was restricted. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10979">CVE-2020-10979</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab EE/CE 11.10 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="last-pipeline-status-of-a-merge-request-leaked">Last Pipeline Status of a Merge Request Leaked</h2>
<p>The last status of a restricted pipeline was returned through a query in the merge request widget. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10976">CVE-2020-10976</a>.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab EE/CE 8.17 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="blind-ssrf-on-fogbugz">Blind SSRF on FogBugz</h2>
<p>A blind SSRF was discovered in the FogBugz integration. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10980">CVE-2020-10980</a>.</p>
<p>Thanks <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab EE/CE 8.0 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-nokogiri-dependency">Update Nokogiri dependency</h2>
<p>The Nokogiri dependency has been upgraded to 1.10.8. This upgrade include a security fix for <a href="https://github.com/advisories/GHSA-7553-jr98-vx47">CVE-2020-7595</a>.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects all previous versions of GitLab CE/EE.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-pcre2-dependency">Update Pcre2 dependency</h2>
<p>The pcre2 dependency has been upgraded to 10.34. This upgrade include a security fix for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20454">CVE-2019-20454</a>.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects all previous versions of GitLab CE/EE.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="new-ssh-keys-not-being-added-to-the-authorized_keys-file">New SSH keys not being added to the <code>authorized_keys</code> file</h2>
<p>A bug in GitLab 12.9.0 prevented new SSH keys from being added to the Git user's
<code>authorized_keys</code> file, effectively breaking Git-over-SSH operations for new
users. See issue <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/212178">#212178</a>
for full details.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab 12.9.0 only.</p>
<h3 id="remediation-17">Remediation</h3>
<p>Upgrade to GitLab 12.9.1 or later.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.8.6https://about.gitlab.com/releases/2020/03/11/critical-security-release-gitlab-12-dot-8-dot-6-released/2020-03-11T00:00:00+00:002020-03-11T00:00:00+00:00Ethan Strike<p>Today we are releasing version 12.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>This version contains an important security fix, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="email-confirmation-not-required-on-sign-up">Email Confirmation Not Required on Sign-up</h2>
<p>With the release of 12.8.0, a soft email confirmation sign-up flow was enabled by default. For instances with sign-up enabled, users were able to sign up and access the instance for a 2 day grace period with an unconfirmed email address, potentially bypassing domain restrictions. The change was reverted and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10535">CVE-2020-10535</a>.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.8.0 through 12.8.5.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.8.2, 12.7.7, and 12.6.8https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/2020-03-04T00:00:00+00:002020-03-04T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 12.8.2, 12.7.7, and 12.6.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="directory-traversal-to-arbitrary-file-read">Directory Traversal to Arbitrary File Read</h2>
<p>A particular endpoint was vulnerable to a directory traversal vulnerability, leading to arbitrary file read. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10086">CVE-2020-10086</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab 10.4 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="account-takeover-through-expired-link">Account Takeover Through Expired Link</h2>
<p>A scenario was discovered in which a GitLab account could be taken over through an expired link. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10074">CVE-2020-10074</a>.</p>
<p>Thanks to <a href="https://hackerone.com/gnux">@gnux</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab 10.1 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="server-side-request-forgery-through-deprecated-service">Server Side Request Forgery Through Deprecated Service</h2>
<p>An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10077">CVE-2020-10077</a>.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab EE 3.0 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="group-two-factor-authentication-requirement-bypass">Group Two-Factor Authentication Requirement Bypass</h2>
<p>Under certain conditions where users should have been required to configure two-factor authentication, it was not being required. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10079">CVE-2020-10079</a>.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab 7.10 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-merge-request-pages">Stored XSS in Merge Request Pages</h2>
<p>A stored cross-site scripting vulnerability was discovered when displaying merge requests. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10076">CVE-2020-10076</a>.</p>
<p>Thanks to <a href="https://hackerone.com/mike12">@mike12</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab 12.1 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-merge-request-submission-form">Stored XSS in Merge Request Submission Form</h2>
<p>The merge request submission form was determined to have a stored cross-site scripting vulnerability. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10078">CVE-2020-10078</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab 12.1 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-file-view">Stored XSS in File View</h2>
<p>A cross-site scripting vulnerability was found when viewing particular file types. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10091">CVE-2020-10091</a>.</p>
<p>Thanks to <a href="https://hackerone.com/mike12">@mike12</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab 9.3 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-grafana-integration">Stored XSS in Grafana Integration</h2>
<p>A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10092">CVE-2020-10092</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab 12.1 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="contribution-analytics-exposed-to-non-members">Contribution Analytics Exposed to Non-members</h2>
<p>It was possible for certain non-members to access the Contribution Analytics page of a private group. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10080">CVE-2020-10080</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab 8.3 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="incorrect-access-control-in-docker-registry-via-deploy-tokens">Incorrect Access Control in Docker Registry via Deploy Tokens</h2>
<p>The Docker registry was improperly accessible through a particular set of conditions. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8113">CVE-2020-8113</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab 10.7 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-via-permission-checks">Denial of Service via Permission Checks</h2>
<p>It was internally discovered that a potential denial of service involving permissions checks could impact a project home page. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10073">CVE-2020-10073</a>.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab EE 12.4.2 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-in-design-for-public-issue">Denial of Service in Design For Public Issue</h2>
<p>A denial of service vulnerability impacting the designs for public issues was discovered. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10082">CVE-2020-10082</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab 12.2 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="incorrect-access-control-via-lfs-import">Incorrect Access Control via LFS Import</h2>
<p>It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10081">CVE-2020-10081</a>.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unescaped-html-in-header">Unescaped HTML in Header</h2>
<p>A particular error header was potentially susceptible to injection or potentially other vulnerabilities via unescaped input. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10075">CVE-2020-10075</a>.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab 12.5 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-merge-request-titles-leaked-via-widget">Private Merge Request Titles Leaked via Widget</h2>
<p>A particular view was exposing merge private merge request titles. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10085">CVE-2020-10085</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab 12.3.5 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="project-namespace-exposed-via-vulnerability-feedback-endpoint">Project Namespace Exposed via Vulnerability Feedback Endpoint</h2>
<p>Sending a specially crafted request to the <code>vulnerability_feedback</code> endpoint could result in the exposure of a private project namespace. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10084">CVE-2020-10084</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects GitLab EE 11.6 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-through-recursive-requests">Denial of Service Through Recursive Requests</h2>
<p>Using several features to recursively request eachother, it was possible to cause the denial of service of a GitLab instance. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10089">CVE-2020-10089</a>.</p>
<p>Thanks to <a href="https://hackerone.com/exem_pt">@exem_pt</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects GitLab 8.11 and later.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="project-authorization-not-being-updated">Project Authorization Not Being Updated</h2>
<p>Under certain conditions involving groups, project authorization changes were not being applied. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10083">CVE-2020-10083</a>.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab 12.7 and later.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="incorrect-permission-level-for-group-invites">Incorrect Permission Level For Group Invites</h2>
<p>Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10088">CVE-2020-10088</a>.</p>
<p>Thanks to <a href="https://gitlab.com/cristian.berner">Cristian Berner</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-18">Versions Affected</h3>
<p>Affects GitLab 12.5 and later.</p>
<h3 id="remediation-18">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-private-group-epic-information">Disclosure of Private Group Epic Information</h2>
<p>Under certain group conditions, group epic information was unintentionally being disclosed. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10090">CVE-2020-10090</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-19">Versions Affected</h3>
<p>Affects GitLab 11.7 and later.</p>
<h3 id="remediation-19">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="user-ip-address-exposed-via-badge-images">User IP Address Exposed via Badge images</h2>
<p>Badge images were not being proxied, causing mixed content warnings as well as leaking the IP address of the user. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10087">CVE-2020-10087</a>.</p>
<h3 id="versions-affected-20">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-20">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-postgresql-gitlab-omnibus">Update postgresql (GitLab Omnibus)</h2>
<p>The version of postgresql was updated from 9.6.14 to 9.6.16 and postgresql_new 10.9 and 10.11 to remediate <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10208">CVE-2019-10208</a>.</p>
<h3 id="versions-affected-21">Versions Affected</h3>
<p>Affects all previous GitLab Omnibus versions.</p>
<h3 id="remediation-21">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.7.6, 12.6.7, and 12.5.10https://about.gitlab.com/releases/2020/02/13/critical-security-release-gitlab-12-dot-7-dot-6-released/2020-02-13T00:00:00+00:002020-02-13T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 12.7.6, 12.6.7, and 12.5.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="incorrect-membership-handling-of-group-sharing-feature">Incorrect membership handling of group sharing feature</h2>
<p>Sharing a group with another group could grant project access to unauthorized users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8795">CVE-2020-8795</a>.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.5.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.7.4, 12.6.6, and 12.5.9https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/2020-01-30T00:00:00+00:002020-01-30T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 12.7.4, 12.6.6, and 12.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="path-traversal-to-arbitrary-file-read">Path Traversal to Arbitrary File Read</h2>
<p>The dependency proxy was found to have a path traversal vulnerability that if combined with an arbitrary file read vulnerability could potentially result in access to files and user data. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7966">CVE-2020-7966</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 11.11 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="user-permissions-not-validated-in-projectexportworker">User Permissions Not Validated in ProjectExportWorker</h2>
<p>An internal investigation revealed that permissions were not being validated in the ProjectExportWorker for the user scheduling exports. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8114">CVE-2020-8114</a>.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE 8.9 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="xss-vulnerability-in-file-api">XSS Vulnerability in File API</h2>
<p>Under certain conditions, requests involving the file API could result in an XSS vulnerability. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7973">CVE-2020-7973</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="package-and-file-disclosure-through-gitlab-workhorse">Package and File Disclosure through GitLab Workhorse</h2>
<p>An internal investigation revealed that a particular header could be used to override restrictions and result in the GitLab Workhorse disclosing packages and files in the <code>/tmp</code> directory. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6833">CVE-2020-6833</a>.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE 11.3 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="xss-vulnerability-in-create-groups">XSS Vulnerability in Create Groups</h2>
<p>A stored XSS vulnerability was discovered using the create group functionality. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7971">CVE-2020-7971</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rioncool22">@rioncool22</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab EE 11.0 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="issue-and-merge-request-activity-counts-exposed">Issue and Merge Request Activity Counts Exposed</h2>
<p>Despite project settings otherwise, non-members were able to view activity counts of issues and merge requests. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7967">CVE-2020-7967</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab EE 12.0 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="email-confirmation-bypass-using-api">Email Confirmation Bypass Using API</h2>
<p>It was discovered that a certain API endpoint could be used to bypass email verification requirements. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7972">CVE-2020-7972</a>.</p>
<p>Thanks to <a href="https://hackerone.com/whitehattushu">@whitehattushu</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab EE 12.0 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-forked-private-project-source-code">Disclosure of Forked Private Project Source Code</h2>
<p>Authorization checks were not being applied in some cases for public repositories with merge request visibility set to members only, resulting in source code potentially being disclosed. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7968">CVE-2020-7968</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects all previous GitLab versions.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-project-names-exposed-in-graphql-queries">Private Project Names Exposed in GraphQL queries</h2>
<p>Under certain conditions, particularly crafted GraphQL queries could expose private project names. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7979">CVE-2020-7979</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab EE 12.0 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-issues-and-merge-requests-via-todos">Disclosure of Issues and Merge Requests via Todos</h2>
<p>Unexpired Todos could be leveraged to disclose (potentially confidential) issues and merge requests. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7969">CVE-2020-7969</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab EE 8.0 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-via-asciidoc">Denial of Service via AsciiDoc</h2>
<p>Certain payloads could result in a denial of service due to abuse of AsciiDoc includes. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7978">CVE-2020-7978</a>.</p>
<p>Thanks to <a href="https://hackerone.com/kgadyrka">@kgadyrka</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab EE 12.6 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="last-pipeline-status-exposed">Last Pipeline Status Exposed</h2>
<p>Despite restrictions in place, the last pipeline status was visible via the commits API. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7974">CVE-2020-7974</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab EE 10.1 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="arbitrary-change-of-pipeline-status">Arbitrary Change of Pipeline Status</h2>
<p>Under certain conditions, a developer of a project can change the pipeline status of a protected branch to any value. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7977">CVE-2020-7977</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab EE 8.8 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="grafana-token-displayed-in-plaintext">Grafana Token Displayed in Plaintext</h2>
<p>The Grafana token was displayed in plaintext on the settings page, but is now being masked. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7976">CVE-2020-7976</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab EE 12.4 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-excon-gem">Update excon gem</h2>
<p>The excon gem was updated to address a flaw within that library, identified as <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16779">CVE-2019-16779</a>.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab 5.3 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-rdoc-gem">Update rdoc gem</h2>
<p>The rdoc gem was updated, which removed an older version of the jQuery library that had several known security vulnerabilities.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects GitLab EE 12.6 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-rack-cors-gem">Update rack-cors gem</h2>
<p>The rack-cors gem was updated to address a vulnerability in that library, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-18978">CVE-2019-18978</a>.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects GitLab 6.4 and later.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-rubyzip-gem">Update rubyzip gem</h2>
<p>The rubyzip gem was updated to address a vulnerability in that library, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16892">CVE-2019-16892</a>.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab EE 8.3 and later.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="apply-january-mattermost-security-updates-gitlab-omnibus">Apply January Mattermost Security Updates (GitLab Omnibus)</h2>
<p>The <a href="https://mattermost.com/blog/mattermost-security-update-5-18-1-5-17-3-5-16-5-5-9-8-esr-released/">January Mattermost Security Updates</a> were applied.</p>
<h3 id="remediation-18">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.6.4, 12.5.7, and 12.4.8https://about.gitlab.com/releases/2020/01/13/critical-security-release-gitlab-12-dot-6-dot-4-released/2020-01-13T00:00:00+00:002020-01-13T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 12.6.4, 12.5.7, and 12.4.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="private-objects-exposed-through-project-import">Private objects exposed through project import</h2>
<p>Using the project import feature, it was possible for someone to obtain issues from private projects. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6832">CVE-2020-6832</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 8.9.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.6.2, 12.5.6, and 12.4.7https://about.gitlab.com/releases/2020/01/02/security-release-gitlab-12-6-2-released/2020-01-02T00:00:00+00:002020-01-02T00:00:00+00:00Vitor Meireles De Sousa<p>Today we are releasing versions 12.6.2, 12.5.6, and 12.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes that were inadvertently not included in our most recent security release. We strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="group-maintainers-can-updatedelete-group-runners-using-api">Group Maintainers Can Update/Delete Group Runners Using API</h2>
<p>Insufficient access verification lead to unauthorized modification of group runners through the API. This issue is now mitigated in the latest release and is assigned CVE-2019-20144.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE/CE 10.8 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="graphql-queries-can-hang-the-application">GraphQL Queries Can Hang the Application</h2>
<p>Certain GraphQL queries can hang the application due to some server's missing parameters in handling time consuming queries. This issue is now mitigated in the latest release and is assigned CVE-2019-20146.</p>
<p>Thanks the GitLab team for finding and reporting this issue.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE/CE 11.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-users-have-access-to-milestones-of-releases">Unauthorized Users Have Access to Milestones of Releases</h2>
<p>Under certain circumstances, an unauthenticated user can access a release's milestone and issues. This issue is now mitigated in the latest release and is assigned CVE-2019-20143.</p>
<p>Thanks <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab EE/CE 12.6.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-group-name-revealed-through-protected-tags-api">Private Group Name Revealed Through Protected Tags API</h2>
<p>When a group is removed from a project membership, it was possible for group members to see project namespace changes through the Protected Tags API. This issue is now mitigated in the latest release and is assigned CVE-2019-20147.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE/CE 9.1 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="users-can-publish-reviews-on-locked-merge-requests">Users Can Publish Reviews on Locked Merge Requests</h2>
<p>When a merge request was locked, a user was still able to submit a drafted review and publish. This issue is now mitigated in the latest release and is assigned CVE-2019-20145.</p>
<p>Thanks <a href="https://hackerone.com/rafiem">@rafiem</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.4 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="dos-in-the-issue-and-commit-comments-pages">DoS in the Issue and Commit Comments Pages</h2>
<p>While adding a comment in the Issue and Commit pages, a malicious user can cause HTTP 500 code when sending a special message. This issue is now mitigated in the latest release and is assigned CVE-2019-20142.</p>
<p>Thanks <a href="https://hackerone.com/dfens">@dfens</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.3 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="project-name-disclosed-through-unsubscribe-link">Project Name Disclosed Through Unsubscribe Link</h2>
<p>When an unauthenticated user visits an unsubscribe link, a private project name can be disclosed under certain conditions. This issue is now mitigated in the latest release and is assigned CVE-2019-20148.</p>
<p>Thanks <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab EE/CE 8.13 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-project-name-disclosed-through-notification-settings">Private Project Name Disclosed Through Notification Settings</h2>
<p>Under specific conditions an user can view the name of a private project through the notifications settings. This issue is now mitigated in the latest release and is assigned CVE-2020-5197.</p>
<p>Thanks <a href="https://hackerone.com/iframe">@iframe</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab EE/CE 5.1 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">Update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Patch Release: 12.0.12, 12.1.17, and 12.2.12https://about.gitlab.com/releases/2019/12/16/gitlab-12-2-12-release/2019-12-16T00:00:00+00:002019-12-16T00:00:00+00:00John T Skarbek<!-- For detailed instructions on how to complete this, please see https://gitlab.com/gitlab-org/release/docs/blob/master/general/patch/blog-post.md -->
<p>Today we are releasing version 12.0.12, 12.1.17, and 12.2.12 for GitLab Community Edition and Enterprise Edition.</p>
<h2 id="gitlab-community-edition-and-enterprise-edition">GitLab Community Edition and Enterprise Edition</h2>
<p>Available in GitLab Core, Starter, Premium, and Ultimate:</p>
<h3 id="backport">Backport</h3>
<p><a href="https://gitlab.com/gitlab-org/sidekiq-reliable-fetch/merge_requests/14">Fix infinite retries of interrupted jobs</a></p>
<h3 id="dependency-update">Dependency Update</h3>
<p>The Git dependency has been upgraded to 2.22.2 in order to apply security fixes
detailed
<a href="https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.22.2.txt">here</a>.</p>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604">CVE-2019-19604</a>
was identified by the GitLab Security Research team. For more information on
that issue, please visit the <a href="https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md">GitLab Security Research Advisory</a></p>
<h2 id="upgrade-barometer">Upgrade barometer</h2>
<p>This version does not include any new migrations, and should not require any
downtime.</p>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="http://docs.gitlab.com/omnibus/update/README.html"><code>/etc/gitlab/skip-auto-reconfigure</code></a> file,
which is only used for <a href="https://docs.gitlab.com/omnibus/update/README.html">updates</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h2 id="gitlab-subscriptions">GitLab subscriptions</h2>
<p>Access to GitLab Starter, Premium, and Ultimate features is granted by a paid <a href="/pricing/">subscription</a>.</p>
<p>Alternatively, <a href="https://gitlab.com/users/sign_in">sign up for GitLab.com</a>
to use GitLab's own infrastructure.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.5.4, 12.4.6, and 12.3.9https://about.gitlab.com/releases/2019/12/10/critical-security-release-gitlab-12-5-4-released/2019-12-10T00:00:00+00:002019-12-10T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 12.5.4, 12.4.6, and 12.3.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="path-traversal-with-potential-remote-code-execution">Path traversal with potential remote code execution</h2>
<p>Insufficient parameter sanitization for Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19628">CVE-2019-19628</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 11.3 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-private-code-via-elasticsearch-integration">Disclosure of private code via Elasticsearch integration</h2>
<p>When transferring a public project to a private group, private code would be disclosed via the Group Search API provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19629">CVE-2019-19629</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE 10.5 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above <strong>with enabled</strong> Elasticsearch integration are upgraded to the latest version as soon as possible. If you are unable to upgrade, consider <a href="https://docs.gitlab.com/ee/integration/elasticsearch.html#disabling-elasticsearch">disabling Elasticsearch</a>.</p>
<h2 id="update-git-dependency">Update Git dependency</h2>
<p>The Git dependency has been upgraded to 2.22.2 in order to apply security fixes detailed <a href="https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.22.2.txt">here</a>.</p>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604">CVE-2019-19604</a> was identified by the GitLab Security Research team. For more information on that issue, please visit the <a href="https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md">GitLab Security Research Advisory</a></p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects all versions of GitLab Omnibus.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.5.2, 12.4.5, and 12.3.8https://about.gitlab.com/releases/2019/11/27/security-release-gitlab-12-5-2-released/2019-11-27T00:00:00+00:002019-11-27T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 12.5.2, 12.4.5, and 12.3.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes that were inadvertently not included in our most recent security release. We strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="unauthorized-access-to-grafana-metrics">Unauthorized access to grafana metrics</h2>
<p>Grafana metrics were unintentionally being exposed to unauthorized users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19262">CVE-2019-19262</a>.</p>
<p>Thanks to <a href="https://hackerone.com/d0xing">@d0xing</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 11.9 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-mattermost-dependency">Update Mattermost dependency</h2>
<p>The Mattermost dependency has been upgraded to 5.14.5 in order to mitigate security concerns.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab Omnibus 12.3 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.5.1, 12.4.4, and 12.3.7https://about.gitlab.com/releases/2019/11/27/security-release-gitlab-12-5-1-released/2019-11-27T00:00:00+00:002019-11-27T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 12.5.1, 12.4.4, and 12.3.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. If you are unable to upgrade, consider <a href="https://docs.gitlab.com/ee/integration/elasticsearch.html#disabling-elasticsearch">disabling Elasticsearch</a>.</p>
<p><strong>Update</strong> Two fixes for GitLab Omnibus inadvertently did not make it into this release, so we are releasing new minor versions in order to include those changes in all versions of GitLab. We <strong>strongly recommend</strong> that all installations be updated to the new versions (12.5.2, 12.4.5, 12.3.8) once they are available.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="path-traversal-with-potential-remote-code-execution">Path traversal with potential remote code execution</h2>
<p>Improper parameter sanitization for Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19088">CVE-2019-19088</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 11.3 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-objects-exposed-through-project-import">Private objects exposed through project import</h2>
<p>Using the project import feature, it was possible for someone to obtain issue, merge request, and other data from private projects. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19309">CVE-2019-19309</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE 8.9.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-notes-via-elasticsearch-integration">Disclosure of notes via Elasticsearch integration</h2>
<p>Private notes would be disclosed via the API of the Group Search feature provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19086">CVE-2019-19086</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab EE 8.17 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above <strong>with enabled</strong> Elasticsearch integration are upgraded to the latest version as soon as possible. If you are unable to upgrade, consider <a href="https://docs.gitlab.com/ee/integration/elasticsearch.html#disabling-elasticsearch">disabling Elasticsearch</a>.</p>
<h2 id="disclosure-of-comments-via-elasticsearch-integration">Disclosure of comments via Elasticsearch integration</h2>
<p>Comments on restricted public projects could be guessed via the Group Search feature provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19087">CVE-2019-19087</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE 8.17 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above <strong>with enabled</strong> Elasticsearch integration are upgraded to the latest version as soon as possible. If you are unable to upgrade, consider <a href="https://docs.gitlab.com/ee/integration/elasticsearch.html#disabling-elasticsearch">disabling Elasticsearch</a>.</p>
<h2 id="dns-rebind-ssrf-in-various-chat-notifications">DNS Rebind SSRF in various chat notifications</h2>
<p>An internal review identified several situations in which particular chat notifications could be used to perform DNS rebind SSRF attacks. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19261">CVE-2019-19261</a>.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab EE 6.7 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-vulnerability-status-in-dependency-list">Disclosure of vulnerability status in dependency list</h2>
<p>It was internally identified that the vulnerability status of a particular dependency was being displayed to unauthenticated users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19256">CVE-2019-19256</a>.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab EE 12.2 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-commit-count-in-cycle-analytics">Disclosure of commit count in Cycle Analytics</h2>
<p>Project members with the Guest access level were erronneously able to see the number of commits in the Cycle Analytics area. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19254">CVE-2019-19254</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.6 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="exposure-of-related-branch-names">Exposure of related branch names</h2>
<p>Under certain circumstances, guests and non-members were able to see branch names. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19257">CVE-2019-19257</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="tags-pushes-from-blocked-users">Tags pushes from blocked users</h2>
<p>In some situations, a blocked user was still able to push git tags depsite other git access being revoked. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19263">CVE-2019-19263</a>.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab EE 8.2 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="branches-and-commits-exposed-to-guest-members-via-integration">Branches and Commits exposed to Guest members via integration</h2>
<p>It was discovered that using certain integrations a guest user was able to view branch names and commit messages. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19258">CVE-2019-19258</a>.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab EE 10.8 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="idor-when-adding-users-to-protected-environments">IDOR when adding users to protected environments</h2>
<p>Non-project members were unintentionally allowed to be added to protected environments. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19259">CVE-2019-19259</a>.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab EE 11.3 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="former-project-members-able-to-access-repository-information">Former project members able to access repository information</h2>
<p>Under specific circumstances, a former project member was still able to access repositories from which their access had been removed. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19260">CVE-2019-19260</a>.</p>
<p>Thanks to <a href="https://hackerone.com/mclaren650sspider">@mclaren650sspider</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-access-to-grafana-metrics">Unauthorized access to grafana metrics</h2>
<p>Grafana metrics were unintentionally being exposed to unauthorized users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19262">CVE-2019-19262</a>.</p>
<p>Thanks to <a href="https://hackerone.com/d0xing">@d0xing</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab EE 11.9 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="todos-created-for-former-project-members">Todos created for former project members</h2>
<p>Under specific circumstances, a former project member would potentially receive Todos even after being removed from the project. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19255">CVE-2019-19255</a>.</p>
<p>Thanks to Jimmy Soh for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab EE 12.3 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="update-mattermost-dependency">Update Mattermost dependency</h2>
<p>The Mattermost dependency has been upgraded to 5.14.5 in order to mitigate security concerns.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab Omnibus 12.3 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-aws-secret-keys-on-certain-admin-pages">Disclosure of AWS secret keys on certain Admin pages</h2>
<p>Certain Admin pages potentially disclosed AWS secret keys in plain text. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19310">CVE-2019-19310</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects GitLab EE 9.0 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-in-group-and-user-profile-fields">Stored XSS in Group and User profile fields</h2>
<p>Multiple group and user profile fields were not being sanitized properly and potentially resulting in a stored cross-site scripting vulnerability. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19311">CVE-2019-19311</a>.</p>
<p>Thanks to @constructor2019 for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects GitLab EE 8.14 and later.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="forked-project-information-disclosed-via-project-api">Forked project information disclosed via Project API</h2>
<p>After a project changed to private, previously forked repositories were still able to get information about the private project through the API. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19312">CVE-2019-19312</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab EE 8.14 and later.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-in-the-issue-and-commit-comment-pages">Denial of Service in the issue and commit comment pages</h2>
<p>Certain characters were making it impossible to create, edit, or view issues and commits. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19313">CVE-2019-19313</a>.</p>
<p>Thanks to <a href="https://hackerone.com/dfens">@dfens</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-18">Versions Affected</h3>
<p>Affects GitLab EE 12.3 and later.</p>
<h3 id="remediation-18">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="tokens-stored-in-plaintext">Tokens stored in plaintext</h2>
<p>Several tokens that were being stored in plaintext are now being encrypted. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19314">CVE-2019-19314</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-19">Versions Affected</h3>
<p>Affects GitLab EE 8.4 and later.</p>
<h3 id="remediation-19">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<h2 id="receive-security-release-notifications">Receive Security Release Notifications</h2>
<p>To receive security release blog notifications delivered to your inbox, visit our <a href="https://about.gitlab.com/company/contact/">contact us</a> page.
To receive security release blog notifications via RSS, subscribe to our <a href="https://about.gitlab.com/security-releases.xml">RSS feed</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.4.1, 12.3.6, and 12.2.9https://about.gitlab.com/releases/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/2019-10-30T00:00:00+00:002019-10-30T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 12.4.1, 12.3.6, and 12.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="source-branch-of-a-mr-could-be-removed-by-an-unauthorised-user">Source branch of a MR could be removed by an unauthorised user</h2>
<p>An unauthorised member of the target project could delete the source branch of MR. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18446">CVE-2019-18446</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.15 and up.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-group-members-could-be-listed">Private group members could be listed</h2>
<p>An unauthorised user could view the members of a private group. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18447">CVE-2019-18447</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-system-notes-via-elasticsearch-integration">Disclosure of System Notes via Elasticsearch integration</h2>
<p>System Notes would be disclosed with the Comments Search feature provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18460">CVE-2019-18460</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab 8.8.3 and later</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above <strong>with enabled</strong> Elasticsearch integration are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-private-comments-via-elasticsearch-integration">Disclosure of Private Comments via Elasticsearch integration</h2>
<p>Private comments in restricted groups would be disclosed with the Search feature provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18456">CVE-2019-18456</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE 8.17 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above <strong>with enabled</strong> Elasticsearch integration are upgraded to the latest version as soon as possible.</p>
<h2 id="confirm-existence-of-private-repositories">Confirm existence of private repositories</h2>
<p>By using brute-force an unauthorised user could check if a private repository exists. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18448">CVE-2019-18448</a>.</p>
<p>Thanks to <a href="https://hackerone.com/brxxn">@brxxn</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-group-membership-could-be-disclosed">Private group membership could be disclosed</h2>
<p>Unauthorised users were able to read private groups membership using the autocomplete endpoint. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18449">CVE-2019-18449</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-project-labels">Disclosure of Project Labels</h2>
<p>Project labels could be disclosed through the GitLab API to unauthorised users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18450">CVE-2019-18450</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-private-project-path-and-labels">Disclosure of Private Project Path and Labels</h2>
<p>When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18452">CVE-2019-18452</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="uncontrolled-resource-consumption-due-to-nested-graphql-queries">Uncontrolled Resource Consumption due to Nested GraphQL Queries</h2>
<p>Nested GraphQL queries could be built so that it resulted a denial of service of the affected page. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18455">CVE-2019-18455</a>.</p>
<p>Thanks to <a href="https://hackerone.com/freddd">@freddd</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 11 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-access-control-on-comments">Improper access control on comments</h2>
<p>An authorization issue discovered allowed a demoted user to add comments via email. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18453">CVE-2019-18453</a>.</p>
<p>Thanks to <a href="https://hackerone.com/hx01">@hx01</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.6 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="sentry-token-access-control">Sentry Token Access Control</h2>
<p>An authorization issue discovered in the Sentry tokens handling that allowed access to a demoted user . The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18457">CVE-2019-18457</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.8 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="authorisation-check-for-project-transfer-option">Authorisation check for Project Transfer option</h2>
<p>An authorization check needed for transfer projects to another group feature allowed users with developer rights to move projects. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18458">CVE-2019-18458</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.5 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="xss-in-wiki-pages-using-rdoc">XSS in Wiki Pages Using RDoc</h2>
<p>The link validation for RDoc wiki pages contained an issue that could get exploited to a persistent XSS vulnerability. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18454">CVE-2019-18454</a>.</p>
<p>Thanks to <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.5 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="untrusted-input-could-be-used-for-internal-redirect">Untrusted Input could be used for Internal Redirect</h2>
<p>An internal review determined an issue in the InternalRedirect filtering allowing for open redirect attacks. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18451">CVE-2019-18451</a>.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.7.4 and later</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="access-control-for-protected-environments">Access control for protected environments</h2>
<p>An internal review determined that groups could maintain access to protected environments even after removal. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18459">CVE-2019-18459</a>.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3 to 12.3.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-sub-group-path-disclosure">Private Sub Group path Disclosure</h2>
<p>The private sub group path was disclosed when a sub group epic was added to a public group. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18461">CVE-2019-18461</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-group-packages-list">Disclosure of Group Packages List</h2>
<p>An issue was found that allowed an unauthorised user to list the packages of a group. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18463">CVE-2019-18463</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0 and later.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-repository-name-disclosure">Private Repository Name Disclosure</h2>
<p>An issue was found that allowed an unauthorised user to confirm the name of a private repository. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18462">CVE-2019-18462</a>.</p>
<p>Thanks to <a href="https://hackerone.com/mclaren650sspider">@mclaren650sspider</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.2 and later.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.3.5, 12.2.8, and 12.1.14https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/2019-10-07T00:00:00+00:002019-10-07T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 12.3.5, 12.2.8, and 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all <strong>GitLab EE</strong> installations <strong>with enabled</strong> Elasticsearch integration be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="disclosure-of-private-merge-requests-and-issues-via-elasticsearch-integration">Disclosure of Private Merge Requests and Issues via Elasticsearch integration</h2>
<p>Private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15590">CVE-2019-15590</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 11.5 and later.
GitLab CE versions are unaffected.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above <strong>with enabled</strong> Elasticsearch integration are upgraded to the latest version as soon as possible.</p>
<h2 id="fixed-geo-not-syncing-new-lfs-files">Fixed Geo not syncing new LFS files</h2>
<p>We <a href="https://gitlab.com/gitlab-org/gitlab/issues/32696">found a regression</a> in the GitLab Geo code that makes it very likely that any new LFS objects are not synchronized to secondary nodes. This means that these LFS files cannot be pulled from secondary nodes and impacts Disaster Recovery.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab EE 12.1 and later.
GitLab CE versions are unaffected.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above <strong>with enabled</strong> LFS and Geo are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.3.3, 12.2.7, and 12.1.13https://about.gitlab.com/releases/2019/10/02/security-release-gitlab-12-dot-3-dot-3-released/2019-10-02T00:00:00+00:002019-10-02T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 12.3.3, 12.2.7, and 12.1.13 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all GitLab installations <strong>with enabled</strong> Elasticsearch integration be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="disclosure-of-private-code-merge-requests-and-commits-via-elasticsearch-integration">Disclosure of Private Code, Merge Requests and Commits via Elasticsearch integration</h2>
<p>Private code, merge requests and commits would be disclosed with the Group Search feature provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5487">CVE-2019-5487</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 8.17 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above <strong>with enabled</strong> Elasticsearch integration are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-container-and-dependency-scanning-reports">Disclosure of container and dependency scanning reports</h2>
<p>Container and dependency scanning reports were available via the merge request widget even though public pipelines were disabled. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15591">CVE-2019-15591</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.2 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.3.2, 12.2.6, and 12.1.12https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/2019-09-30T00:00:00+00:002019-09-30T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 12.3.2, 12.2.6, and 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=security&scope=all&state=opened">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="xss-in-markdown-preview-using-mermaid">XSS in Markdown Preview Using Mermaid</h2>
<p>The Mermaid plugin was updated in GitLab 12.1 to address an XSS issue in markdown preview. The Mermaid plugin was previously updated in 12.2 and 12.3. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15586">CVE-2019-15586</a>.</p>
<p>Thanks to <a href="https://hackerone.com/brainpanic">@brainpanic</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.1.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="bypass-email-verification-using-salesforce-authentication">Bypass Email Verification using Salesforce Authentication</h2>
<p>The Salesforce login integration could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5486">CVE-2019-5486</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.11 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="account-takeover-using-saml">Account Takeover using SAML</h2>
<p>The GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15585">CVE-2019-15585</a>.</p>
<p>Thanks to @mishre for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 7.12 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="uncontrolled-resource-consumption-in-markdown-using-mermaid">Uncontrolled Resource Consumption in Markdown using Mermaid</h2>
<p>Markdown fields contained an input validation issue that resulted in a denial of service of the affected page. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15584">CVE-2019-15584</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ryhmnlfj">@ryhmnlfj</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.2 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-private-project-path-and-labels">Disclosure of Private Project Path and Labels</h2>
<p>When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15583">CVE-2019-15583</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-assignees-via-milestones">Disclosure of Assignees via Milestones</h2>
<p>The assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15579">CVE-2019-15579</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.2.0 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-project-path-via-unsubscribe-link">Disclosure of Project Path via Unsubscribe Link</h2>
<p>The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15578">CVE-2019-15578</a></p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.4.0 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-project-milestones-via-groups">Disclosure of Project Milestones via Groups</h2>
<p>Project milestones would be disclosed via groups browsing. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15577">CVE-2019-15577</a></p>
<p>Thanks to @uzsunny](https://hackerone.com/uzsunnyz?type=user) for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.0.0 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-private-system-notes-via-graphql">Disclosure of Private System Notes via GraphQL</h2>
<p>Private system notes would be disclosed via GraphQL endpoint. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15576">CVE-2019-15576</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0.0 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="git-command-injection-via-api">GIT Command Injection via API</h2>
<p>GIT command injection was possible via the API through the <code>blobs</code> scope. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15575">CVE-2019-15575</a>.</p>
<p>Thanks to <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.0 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<p><strong>Note:</strong> We recommend to <a href="https://docs.gitlab.com/ee//administration/gitaly/#rotating-a-gitaly-authentication-token">rotate the Gitaly authentication token</a> as an extra security measure.</p>
<h2 id="bypass-user-blocking-via-cicd-token">Bypass User Blocking via CI/CD token</h2>
<p>A blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15589">CVE-2019-15589</a>.</p>
<p>Thanks to <a href="https://hackerone.com/logan5">@logan5</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="idor-adding-groups-to-protected-environments">IDOR Adding Groups to Protected Environments</h2>
<p>An IDOR was discovered that allowed a maintainer to add any private group to a protected environment. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15582">CVE-2019-15582</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab EE 11.3 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-group-membership-via-merge-request-approval-rules">Disclosure of Group Membership via Merge Request Approval Rules</h2>
<p>An IDOR was discovered that allowed a project owner or maintainer to see the members of any private group via merge request approval rules. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15581">CVE-2019-15581</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab EE 8.13 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-head-pipeline-via-blocking-merge-request-feature">Disclosure of Head Pipeline via Blocking Merge Request Feature</h2>
<p>When using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15580">CVE-2019-15580</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab EE 12.0 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="grafana-update">Grafana update</h2>
<p>We have patched Grafana, which is included in the GitLab Omnibus package for CVE-2018-19039.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.2.5, 12.1.9, and 12.0.9https://about.gitlab.com/releases/2019/09/10/critical-security-release-gitlab-12-dot-2-dot-5-released/2019-09-10T00:00:00+00:002019-09-10T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 12.2.5, 12.1.9, and 12.0.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="project-template-functionality-could-be-used-to-access-restricted-project-data">Project Template Functionality Could Be Used to Access Restricted Project Data</h2>
<p>Project creation using custom group templates had a permission issue that
allowed an unauthorized user to clone a project to which they had partial
visibility, allowing them to see the restricted information. The issue is
now mitigated in the latest release and is assigned
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16170">CVE-2019-16170</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this
vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 11.6 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version
above to be upgraded to the latest version as soon as possible.</p>
<h2 id="security-enhancements-in-gitlab-pages">Security Enhancements in GitLab Pages</h2>
<p>GitLab Pages is updated in this release with several security enhancements
to GitLab Pages Access Control. Improvements include use of the <code>Secure</code>
flag on the session cookie, and shortening of the valid session time.</p>
<p>These improvements were identified as part of an internal security review.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.5 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="nginx-update">Nginx Update</h2>
<p>We have patched Nginx, which is included in the GitLab Omnibus package for CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516.</p>
<h2 id="mattermost-updates">Mattermost Updates</h2>
<p>We've included respective Mattermost security versions in 12.2, 12.1 and 12.0.</p>
<p>For more information, see <a href="https://about.mattermost.com/security-updates/">Mattermost security updates page</a></p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8https://about.gitlab.com/releases/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/2019-08-29T00:00:00+00:002019-08-29T00:00:00+00:00Andrew Kelly<p>Today we are releasing versions 12.2.3, 12.1.8, and 12.0.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=security">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="kubernetes-integration-server-side-request-forgery">Kubernetes Integration Server-Side Request Forgery</h2>
<p>An internal review determined that the protections against SSRF attacks on the Kubernetes integration are insufficient, which could have allowed an attacker to request any local network resource accessible from the GitLab server. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15728">CVE-2019-15728</a>.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.1 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="server-side-request-forgery-in-jira-integration">Server-Side Request Forgery in Jira Integration</h2>
<p>An internal review determined that the Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack, which would allow sending requests to any resources accessible in the local network by the GitLab server. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15730">CVE-2019-15730</a>.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.14 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improved-protection-against-credential-stuffing-attacks">Improved Protection Against Credential Stuffing Attacks</h2>
<p>A reCaptcha challenge will be required after certain failed login attempt conditions are met. This feature is disabled by default and can be enabled through Admin Area > Settings > Reporting > Enable reCAPTCHA for login.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="markdown-clientside-resource-exhaustion">Markdown Clientside Resource Exhaustion</h2>
<p>Particular mathematic expressions in GitLab Markdown can exhaust client resources. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15722">CVE-2019-15722</a>.</p>
<p>Please note that Merge Requests, Issues, Wiki Pages, and other areas with GitLab Markdown containing lots of math formulae or long formulae may need to be split up.</p>
<p>Thanks to <a href="https://hackerone.com/abdilahrf_">@abdilahrf_</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.15 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="pipeline-status-disclosure">Pipeline Status Disclosure</h2>
<p>An internal endpoint unintentionally disclosed information about the last pipeline ran for a merge request. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15729">CVE-2019-15729</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.0 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="group-runner-authorization-issue">Group Runner Authorization Issue</h2>
<p>An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15721">CVE-2019-15721</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.8 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="ci-metrics-disclosure">CI Metrics Disclosure</h2>
<p>Insufficient permission checks were being applied when displaying CI results, potentially exposing some CI metrics data to unauthorized users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15727">CVE-2019-15727</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.2 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="user-ip-disclosed-by-embedded-image-and-media">User IP Disclosed by Embedded Image and Media</h2>
<p>Embedded images and media files in markdown could be pointed to an arbitrary server, which would reveal the IP address of clients requesting the file from that server. This issue can be mitigated by enabling an <a href="https://docs.gitlab.com/ee/security/asset_proxy.html">asset proxy</a> and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15726">CVE-2019-15726</a>.</p>
<p>Thanks to <a href="https://hackerone.com/iframe">@iframe</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="label-description-html-injection">Label Description HTML Injection</h2>
<p>Label descriptions were found to be vulnerable to HTML injection. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15724">CVE-2019-15724</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.10 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="idor-in-epic-notes-api">IDOR in Epic Notes API</h2>
<p>An IDOR was discovered in the epic notes API which could result in disclosure of private milestones, labels, and other information. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15725">CVE-2019-15725</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="push-rule-bypass">Push Rule Bypass</h2>
<p>A vulnerability that allowed users to bypass the push rules of a project had been indirectly fixed in a previous GitLab release. This version improves the fix to make it more robust. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15723">CVE-2019-15723</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE versions 11.9.4-11.10.0. Please note that this was already fixed in 11.10.1.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="project-visibility-restriction-bypass">Project Visibility Restriction Bypass</h2>
<p>It was discovered that the project import API could be used to bypass project visibility restrictions. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15732">CVE-2019-15732</a>.</p>
<p>Thanks to <a href="https://hackerone.com/logan5">@logan5</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.2 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="merge-request-discussion-restriction-bypass">Merge Request Discussion Restriction Bypass</h2>
<p>It was discovered that non-members were able to comment on merge requests despite the repository being set to allow only project members to do so. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15731">CVE-2019-15731</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-merge-request-ids">Disclosure of Merge Request IDs</h2>
<p>An internal review determined that under certain conditions, merge request IDs were being disclosed via email. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15738">CVE-2019-15738</a>.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="weak-authentication-in-certain-account-actions">Weak Authentication In Certain Account Actions</h2>
<p>It was discovered that certain account actions needed improved authentication and session management. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15737">CVE-2019-15737</a>.</p>
<p>Thanks to Sajibe Kanti for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-commit-title-and-comments">Disclosure of Commit Title and Comments</h2>
<p>Under very specific conditions, commit titles and team member comments could become viewable to users that did not have permission to do so. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15734">CVE-2019-15734</a>.</p>
<p>Thanks to <a href="https://hackerone.com/brijeshshah13">@brijeshshah13</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.6 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-xss-via-markdown">Stored XSS via Markdown</h2>
<p>It was discovered that certain areas displaying Markdown were not properly sanitizing some cross site scripting payloads. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15739">CVE-2019-15739</a>.</p>
<p>Thanks to <a href="https://hackerone.com/samuelmortenson">@samuelmortenson</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.1 and later.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="exif-geolocation-data-exposure">EXIF Geolocation Data Exposure</h2>
<p>EXIF Geolocation data was not being removed from certain image uploads. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15740">CVE-2019-15740</a>.</p>
<p>Please note that when upgrading a GitLab instance, the following rake task should be run: <code>rake gitlab:uploads:sanitize:remove_exif[,,false,0,PersonalFileUploader,2019-01-01]</code></p>
<p>Thanks to <a href="https://hackerone.com/jackb898?type=user">@jack898</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab CE/EE 7.9 and later.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="multiple-ssrf-regressions-on-gitaly">Multiple SSRF Regressions on Gitaly</h2>
<p>Two previous Gitaly SSRF fixes were mistakenly not included in GitLab 12.2. The issue is now mitigated in the latest release and will be assigned a CVE ID shortly.</p>
<h3 id="versions-affected-18">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.2.</p>
<h3 id="remediation-18">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="default-branch-name-exposure">Default Branch Name Exposure</h2>
<p>It was discovered that the specified default branch name could be exposed to unauthorised users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15733">CVE-2019-15733</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-19">Versions Affected</h3>
<p>Affects GitLab CE/EE 7.12 and later.</p>
<h3 id="remediation-19">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="potential-denial-of-service-via-ci-pipelines">Potential Denial of Service via CI Pipelines</h2>
<p>Under certain circumstances, CI pipelines could potentially be used in a denial of service attack. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15736">CVE-2019-15736</a>.</p>
<h3 id="versions-affected-20">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-20">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="privilege-escalation-via-logrotate">Privilege Escalation via Logrotate</h2>
<p>It was discovered that an unsafe interaction with logrotate could result in a privilege escalation. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15741">CVE-2019-15741</a>.</p>
<p>Thanks to <a href="https://hackerone.com/petee">@petee</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-21">Versions Affected</h3>
<p>Affects GitLab Omnibus 7.4 and later.</p>
<h3 id="remediation-21">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-merge-request-id-via-timeline-activities">Disclosure of Merge Request ID via Timeline Activities</h2>
<p>A Guest user in a private project could see the merge request ID associated to an issue via the activity timeline. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15592">CVE-2019-15592</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-22">Versions Affected</h3>
<p>Affects all versions of GitLab.</p>
<h3 id="remediation-22">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-via-issue-comments">Denial of Service via Issue Comments</h2>
<p>A Denial of Service was possible when posting in an issue a comment of arbitrary length. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15593">CVE-2019-15593</a>.</p>
<p>Thanks to <a href="https://hackerone.com/8ayac">8ayac</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-23">Versions Affected</h3>
<p>Affects GitLab 9.3.0 and later.</p>
<h3 id="remediation-23">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 12.1.6, 12.0.6, and 11.11.8https://about.gitlab.com/releases/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released/2019-08-12T00:00:00+00:002019-08-12T00:00:00+00:00Juan Broullon<p>Today we are releasing versions 12.1.6, 12.0.6, and 11.11.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="insecure-authentication-methods-disabled-for-grafana-by-default">Insecure Authentication Methods Disabled for Grafana By Default</h2>
<p>Basic authentication and hard-coded admin credentials are now disabled by default in the bundled Grafana instance as part of the Omnibus-based GitLab packages.
This change forces GitLab SSO to be the only authentication method, creates a backup of existing data, and resets the Grafana configuration to the GitLab default.
Custom dashboards and user accounts that have been created will be preserved in the backup. Grafana authentication settings can then be modified following the
<a href="https://docs.gitlab.com/omnibus/settings/grafana.html">Omnibus Configuration Settings</a> guide.</p>
<p>The Grafana dashboard, when accessed using the hard-coded credentials, allowed for a malicious user to view internal resources that are accessible
by the host where the GitLab instance resides.</p>
<p>The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14943">CVE-2019-14943</a>.</p>
<p>Thanks to <a href="https://gitlab.com/stargo">@stargo</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 12.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h2 id="multiple-command-line-flag-injection-vulnerabilities">Multiple Command-Line Flag Injection Vulnerabilities</h2>
<p>Improper parameter sanitization on Gitaly could lead to privilege escalation and remote code execution vulnerabilities under certain conditions. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14944">CVE-2019-14944</a>.</p>
<p>Thanks to <a href="https://hackerone.com/vakzz">@vakzz</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating-1">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h2 id="insecure-cookie-handling-on-gitlab-pages">Insecure Cookie Handling on GitLab Pages</h2>
<p>Authentication cookies on GitLab Pages with Access Control could be sent over HTTP and weren't properly encrypted, which made them vulnerable to Man-In-The-Middle attacks. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14942">CVE-2019-14942</a>.</p>
<p>This issue was internally discovered by the GitLab Security Team.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.5 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating-2">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.1.2, 12.0.4, and 11.11.7https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/2019-07-29T00:00:00+00:002019-07-29T00:00:00+00:00Jeremy Matos<p>Today we are releasing versions 12.1.2, 12.0.4, and 11.11.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=security">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="github-integration-ssrf">GitHub Integration SSRF</h2>
<p>An input validation problem was discovered in the GitHub service integration which could result in an attacker being able to make arbitrary POST requests in a GitLab instance's internal network. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5461">CVE-2019-5461</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.6 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="trigger-token-impersonation">Trigger Token Impersonation</h2>
<p>An authorization issue was discovered when trigger tokens are not rotated once ownership of them has changed. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5462">CVE-2019-5462</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="build-status-disclosure">Build Status Disclosure</h2>
<p>An authorization issue was discovered in the CI badge images endpoint which could result in disclosure of the build status. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5463">CVE-2019-5463</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects all previous GitLab CE/EE versions.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="ssrf-mitigation-bypass">SSRF Mitigation Bypass</h2>
<p>A flawed DNS rebinding protection issue was discovered in <code>url_blocker.rb</code> which could result in SSRF where the library is utilized. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5464">CVE-2019-5464</a>.</p>
<p>Thanks to <a href="https://hackerone.com/mclaren650sspider">@mclaren650sspider</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.2 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="information-disclosure-new-issue-id">Information Disclosure New Issue ID</h2>
<p>An authorization issue was discovered in the move issue feature which could result in disclosure of the newly created issue ID. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5465">CVE-2019-5465</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.14 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="idor-label-name-enumeration">IDOR Label Name Enumeration</h2>
<p>An IDOR was discovered in the new merge requests endpoint which could result in disclosure of label names. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5466">CVE-2019-5466</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.5 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-wiki-pages">Persistent XSS Wiki Pages</h2>
<p>An input validation and output encoding issue was discovered in the wiki pages feature which could result in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5467">CVE-2019-5467</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ryhmnlfj">@ryhmnlfj</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.10 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="user-revokation-bypass-with-mattermost-integration">User Revokation Bypass with Mattermost Integration</h2>
<p>An authorization issue was discovered when Mattermost slash commands are used with a blocked account. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5468">CVE-2019-5468</a>.</p>
<p>Thanks to <a href="https://hackerone.com/logan5">@logan5</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.14 command service and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="arbitrary-file-upload-via-import-project-archive">Arbitrary File Upload via Import Project Archive</h2>
<p>A file upload issue was discovered when importing a project archive. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5469">CVE-2019-5469</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ajxchapman">@ajxchapman</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.5 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="information-disclosure-vulnerability-feedback">Information Disclosure Vulnerability Feedback</h2>
<p>An authorization issue was discovered in the security dashboard which could result in disclosure of vulnerability feedback information. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5470">CVE-2019-5470</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.8 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-via-email">Persistent XSS via Email</h2>
<p>An input validation and output encoding issue was discovered in the email notification feature which could result in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5471">CVE-2019-5471</a>.</p>
<p>Thanks to <a href="https://hackerone.com/mario-areias">@mario-areias</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab EE 8.9 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-epic-comments">Denial Of Service Epic Comments</h2>
<p>An authorization issue was discovered that forbid to delete epic comments. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5472">CVE-2019-5472</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects all previous GitLab EE 10.7 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="email-verification-bypass">Email Verification Bypass</h2>
<p>An authentication issue was discovered that allowed to bypass email verification. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5473">CVE-2019-5473</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab EE 12.0 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="override-merge-request-approval-rules">Override Merge Request Approval Rules</h2>
<p>An authorization issue was discovered in the merge request approval rules. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5474">CVE-2019-5474</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab EE 11.8 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-pipeline-details">Disclosure of Pipeline Details</h2>
<p>Details of restricted pipelines were visible via the merge request endpoint. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15594">CVE-2019-15594</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab EE 11.8 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 12.0.3, 11.11.5, and 11.10.8https://about.gitlab.com/releases/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/2019-07-03T00:00:00+00:002019-07-03T00:00:00+00:00Costel Maxim<p>Today we are releasing versions 12.0.3, 11.11.5, and 11.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=security">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="ability-to-write-a-note-to-a-private-snippet">Ability to Write a Note to a Private Snippet</h2>
<p>GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13001">CVE-2019-13001</a>.</p>
<p>Thanks to <a href="https://hackerone.com/executor">@executor</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.9 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="recent-pipeline-information-disclosed-to-unauthorised-users">Recent Pipeline Information Disclosed to Unauthorised Users</h2>
<p>Unauthorised users were able to read pipeline information of the last merge request. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13002">CVE-2019-13002</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.10 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="resource-exhaustion-attack">Resource Exhaustion Attack</h2>
<p>One of the parsers used by Gitlab CI was vulnerable to a resource exhaustion attack. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13003">CVE-2019-13003</a>.</p>
<p>Thanks to <a href="https://gitlab.com/leipert">@leipert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="error-caused-by-encoded-characters-in-comments">Error Caused by Encoded Characters in Comments</h2>
<p>When specific encoded characters were added to comments, the comments section would become inaccessible. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13004">CVE-2019-13004</a>.</p>
<p>Thanks to <a href="https://hackerone.com/newbiemole">@newbiemole</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.1 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="authorization-issues-in-graphql">Authorization Issues in GraphQL</h2>
<p>The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13005">CVE-2019-13005</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> and <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.10 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="number-of-merge-requests-was-accessible">Number of Merge Requests was Accessible</h2>
<p>Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13006">CVE-2019-13006</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.0 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="enabling-one-of-the-service-templates-could-cause-resource-depletion">Enabling One of the Service Templates Could Cause Resource Depletion</h2>
<p>When an admin enabled one of the service templates, it was triggering an action that leads to resource depletion. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13008">CVE-2019-13007</a>.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.11 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="broken-access-control-for-the-content-of-personal-snippets">Broken Access Control for the Content of Personal Snippets</h2>
<p>Uploaded files associated with unsaved personal snippets were accessible to unauthorized users due to improper permission settings. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13009">CVE-2019-13009</a>.</p>
<p>Thanks to <a href="https://gitlab.com/mkozono">@mkozono</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.2 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</p>
<h2 id="decoding-color-codes-caused-resource-depletion">Decoding Color Codes Caused Resource Depletion</h2>
<p>The color codes decoder was vulnerable to a resource depletion attack if specific formats were used. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13010">CVE-2019-13010</a>.</p>
<p>Thanks to <a href="https://hackerone.com/8ayac">@8ayac</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.3 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</p>
<h2 id="merge-request-template-name-disclosure">Merge Request Template Name Disclosure</h2>
<p>By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13011">CVE-2019-13011</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab EE 8.11.0 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</p>
<h2 id="ssrf-vulnerability-in-project-github-integration">SSRF Vulnerability in Project GitHub Integration</h2>
<p>The GitHub project integration was vulnerable to an SSRF vulnerability which allowed an attacker to make requests to local network resources. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13121">CVE-CVE-2019-13121</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab EE 10.6 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.11.1, 11.10.5, and 11.9.12https://about.gitlab.com/releases/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/2019-06-03T00:00:00+00:002019-06-03T00:00:00+00:00Juan Broullon<p>Today we are releasing versions 11.11.1, 11.10.5, and 11.9.12 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=security">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="remote-command-execution-vulnerability-on-repository-download-feature">Remote Command Execution Vulnerability on Repository Download Feature</h2>
<p>A specially crafted payload would allow an authenticated malicious user to execute commands remotely through the repository download feature. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12430">CVE-2019-12430</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.11.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="confidential-issue-titles-revealed-to-restricted-users-on-unsubscribe">Confidential Issue Titles Revealed to Restricted Users on Unsubscribe</h2>
<p>Non-member users who subscribed to issue notifications could access the title of confidential issues through the unsubscription page. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12432">CVE-2019-12432</a>.</p>
<p>Thanks to <a href="https://hackerone.com/skavans">@skavans</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.13 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-milestone-metadata-through-the-search-api">Disclosure of Milestone Metadata through the Search API</h2>
<p>Restricted users could access the metadata of private milestones through the Search API. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12431">CVE-2019-12431</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.13 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="private-project-discovery-via-comment-links">Private Project Discovery via Comment Links</h2>
<p>Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12434">CVE-2019-12434</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.6 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="metadata-of-confidential-issues-disclosed-to-restricted-users">Metadata of Confidential Issues Disclosed to Restricted Users</h2>
<p>Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12429">CVE-2019-12429</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.9 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="mandatory-external-authentication-provider-sign-in-restrictions-bypass">Mandatory External Authentication Provider Sign-In Restrictions Bypass</h2>
<p>Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially crafted request. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12428">CVE-2019-12428</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 6.8 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="internal-projects-allowed-to-be-created-on-in-private-groups">Internal Projects Allowed to Be Created on in Private Groups</h2>
<p>Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12433">CVE-2019-12433</a>.</p>
<p>Thanks to <a href="https://gitlab.com/petermarko">Peter Marko</a> for contributing with a fix for this issue.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.7 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="server-side-request-forgery-through-dns-rebinding">Server-Side Request Forgery Through DNS Rebinding</h2>
<p>Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12443">CVE-2019-12443</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.2 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<p><strong>Note:</strong> The protection against DNS rebinding attacks can be disabled by unmarking the "Enforce DNS rebinding attack protection" checkbox under <em>Admin Area > Settings > Network > Outbound requests</em></p>
<h2 id="stored-cross-site-scripting-on-wiki-pages">Stored Cross-Site Scripting on Wiki Pages</h2>
<p>Wiki Pages contained a lack of input validation which resulted in a persistent XSS vulnerability. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12444">CVE-2019-12444</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ryhmnlfj">@ryhmnlfj</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.9 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-cross-site-scripting-on-notes">Stored Cross-Site Scripting on Notes</h2>
<p>A malicious user could execute JavaScript code on notes by importing a specially crafted project file. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12445">CVE-2019-12445</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.4 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="repository-password-disclosed-on-import-error-page">Repository Password Disclosed on Import Error Page</h2>
<p>A failure while importing a repository by URL would render an error page containing the plaintext password of the repository to import. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12446">CVE-2019-12446</a>.</p>
<p>Thanks to <a href="https://gitlab.com/vandebrj">@vandebrj</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.3 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="protected-branches-restriction-rules-bypass">Protected Branches Restriction Rules Bypass</h2>
<p>The protected branches feature contained a access control issue which resulted in a bypass of the protected branches restriction rules. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12441">CVE-2019-12441</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.4 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="stored-cross-site-scripting-vulnerability-on-child-epics">Stored Cross-Site Scripting Vulnerability on Child Epics</h2>
<p>The epic details page contained a lack of input validation and output encoding issue which resulted in a persistent XSS vulnerability on child epics. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12442">CVE-2019-12442</a>.</p>
<p>Thanks to @near_ for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab EE 11.7 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-to-knative-05">Upgrade to Knative 0.5</h2>
<p>Knative was upgraded to version 0.5 for the GitLab 11.11, 11.10 and 11.9 packages. This Knative release contains several security fixes.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.10.3, 11.9.11, and 11.8.10https://about.gitlab.com/releases/2019/04/30/security-release-gitlab-11-dot-10-dot-3-released/2019-04-30T00:00:00+00:002019-04-30T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.10.3, 11.9.11, and 11.8.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>The GitLab EE versions contain an important security fix, and we strongly recommend that all GitLab EE installations be upgraded immediately. GitLab CE is not affected, but the
version numbers were increased to be consistent with EE versioning.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="information-disclosure-with-limited-scope-token">Information Disclosure with Limited Scope Token</h2>
<p>A small number of GitLab API endpoints would disclose project information when using a <em>read_user</em> scoped token. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11605">CVE-2019-11605</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.8 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.10.2, 11.9.10, and 11.8.9https://about.gitlab.com/releases/2019/04/29/security-release-gitlab-11-dot-10-dot-2-released/2019-04-29T00:00:00+00:002019-04-29T00:00:00+00:00Juan Broullon<p>Today we are releasing versions 11.10.2, 11.9.10, and 11.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=security">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="moving-an-issue-to-private-repo-leaks-project-namespace">Moving an Issue to Private Repo Leaks Project Namespace</h2>
<p>When an issue was moved to a private project, the private project namespace was leaked to unauthorized users with access to the original issue. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11545">CVE-2019-11545</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.9 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="notification-emails-sent-to-restricted-users">Notification Emails Sent to Restricted Users</h2>
<p>Non-member users who subscribed to notifications of an internal project with issue and repository restrictions would receive emails about restricted events. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11544">CVE-2019-11544</a>.</p>
<p>Thanks to <a href="https://hackerone.com/yashrs">@yashrs</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.10 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-comments-on-confidential-issues">Unauthorized Comments on Confidential Issues</h2>
<p>Unprivileged members of a project were able to post comments on confidential issues through an authorization issue in the note endpoint. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11548">CVE-2019-11548</a>.</p>
<p>Thanks to @mishre for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 5.4.0 through 11.8.8.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="merge-request-approval-count-inflation">Merge Request Approval Count Inflation</h2>
<p>A Race Condition vulnerability was discovered which could allow users to approve a merge request multiple times and potentially reach the approval count required to merge. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11546">CVE-2019-11546</a>.</p>
<p>Thanks to <a href="https://hackerone.com/flashdisk">@flashdisk</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.6 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="unsanitized-branch-names-on-new-merge-request-notification-emails">Unsanitized Branch Names on New Merge Request Notification Emails</h2>
<p>The branch name on new merge request notification emails wasn't being escaped, which could potentially lead to XSS issues. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11547">CVE-2019-11547</a>.</p>
<p>Thanks to <a href="https://hackerone.com/mario-areias">@mario-areias</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 6.0.0 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-sanitation-of-credentials-in-gitaly">Improper Sanitation of Credentials in Gitaly</h2>
<p>Gitaly has been upgraded to fix an information disclosure issue where HTTP/GIT credentials were included in logs on connection errors. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11549">CVE-2019-11549</a>.</p>
<p>Thanks to @j-jam for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.0 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-to-rails-5072">Upgrade to Rails 5.0.7.2</h2>
<p>Ruby on Rails was upgraded to version 5.0.7.2 for the Gitlab 11.10.2 package. This Ruby on Rails release contains several security fixes.</p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.9.7, 11.8.7, and 11.7.11https://about.gitlab.com/releases/2019/04/10/critical-security-release-gitlab-11-dot-9-dot-7-released/2019-04-10T00:00:00+00:002019-04-10T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.9.7, 11.8.7, and 11.7.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>The GitLab EE versions contain an important security fix, and we strongly recommend that all GitLab EE installations be upgraded immediately. GitLab CE is not affected, but the
version numbers were increased to be consistent with EE versioning.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="group-runner-registration-token-exposure">Group Runner Registration Token Exposure</h2>
<p>The GitLab groups API was vulnerable to an information disclosure issue that disclosed group runner registration tokens to unauthorized users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11000">CVE-2019-11000</a>.</p>
<p>Thanks to <a href="https://hackerone.com/storm_spirit">@storm_spirit</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 10.4 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.9.4, 11.8.6, and 11.7.10https://about.gitlab.com/releases/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/2019-04-01T00:00:00+00:002019-04-01T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.9.4, 11.8.6, and 11.7.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=security">issue tracker</a> in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="dos-potential-for-regex-in-cicd-refs">DoS potential for regex in CI/CD <code>refs</code></h2>
<p>An regex input validation issue for the <code>.gitlab-ci.yml</code> <a href="https://docs.gitlab.com/ee/ci/yaml/index.html#onlyrefs--exceptrefs"><code>refs</code> value</a> was discovered which could allow an attacker to execute a denial of service on the platform. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10640">CVE-2019-10640</a>.</p>
<h3 id="notes">Notes</h3>
<p>Due to this fix, certain regular expression patterns in <code>refs</code> values may no longer be supported and will require modification.</p>
<p>This fix will go live for GitLab.com users on April 8, 2019.</p>
<p>Related issues:</p>
<ul>
<li>https://gitlab.com/gitlab-org/gitlab-ce/issues/59703</li>
<li>https://gitlab.com/gitlab-com/customer-success/professional-services/issues/421</li>
<li>https://gitlab.com/gitlab-org/gitlab-ce/issues/49665 (confidential for first 30 days past publication)</li>
</ul>
<h3 id="explanation">Explanation</h3>
<p>Previously, GitLab used <a href="https://ruby-doc.org/core-2.4.2/Regexp.html">Ruby's Regexp</a> for pattern matching. This change switches the regular expression engine to <a href="https://github.com/google/re2/">RE2</a> while maintaining the previous syntax. GitLab internally converts <code>/pattern/flags</code> into valid RE2 patterns.</p>
<p>However, this is considered a breaking change because RE2 does not support some patterns, such as negative lookahead, due to computational complexity. For the list of supported syntaxes, see https://github.com/google/re2/wiki/Syntax.</p>
<h4 id="example-1">Example 1</h4>
<div class="highlight"><pre class="highlight plaintext"><code> only:
- tags
except:
- /^(?!master).+@/
</code></pre></div>
<p>The intent of this matcher is to possibly create a job only on tags that are created for <code>master</code>. However, this did not work as intended, as Git does not have a concept of creating a reference on top of another reference. Tag, branch, and any reference are always created on top of a revision.</p>
<p>The valid equivalent syntax here is:</p>
<div class="highlight"><pre class="highlight plaintext"><code>only:
- tags
</code></pre></div>
<h4 id="example-2">Example 2</h4>
<div class="highlight"><pre class="highlight plaintext"><code> only:
- //@gitlab-org/gitlab-ce
</code></pre></div>
<p>The intent of this matcher is to create a job only for an upstream repository. It fails, as RE2 requires a pattern to be matching. In the above example the behavior is undefined.</p>
<div class="highlight"><pre class="highlight plaintext"><code> only:
- /./@gitlab-org/gitlab-ce
</code></pre></div>
<p>This syntax will successfully match any refname.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="related-branches-visible-in-issues-for-guests">Related branches visible in issues for guests</h2>
<p>An authorization issue was discovered which allowed Guests of a project to see Related Branches created for an issue. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10116">CVE-2019-10116</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.7 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-at-merge-request-resolve-conflicts">Persistent XSS at merge request resolve conflicts</h2>
<p>An input validation and output encoding issue was discovered in the merge request "resolve conflicts" page which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10111">CVE-2019-10111</a>.</p>
<p>Thanks to <a href="https://hackerone.com/valis_">@valis_</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.0 to 11.8.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="improper-authorization-control-move-issue">Improper authorization control "move issue"</h2>
<p>An authorization issue was discovered in the "move issue" feature which could allow an attackers to create projects under any namespace on any GitLab instance on which they already hold credentials. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10110">CVE-2019-10110</a>.</p>
<p>Thanks to @mishre for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.7 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="guest-users-of-private-projects-have-access-to-releases">Guest users of private projects have access to releases</h2>
<p>An authorization issue was discovered for the GitLab Releases feature which could allow guest users access to private information like release details. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10115">CVE-2019-10115</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.7 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="dos-potential-on-project-languages-page">DoS potential on project languages page</h2>
<p>A potential denial of service attack vector was discovered on the project languages endpoint. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10113">CVE-2019-10113</a>.</p>
<p>Thanks to <a href="https://github.com/opalmer">@opalmer</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.2 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="recurity-assessment-information-exposure-through-timing-discrepancy">Recurity assessment: information exposure through timing discrepancy</h2>
<p>During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10114">CVE-2019-10114</a>.</p>
<p>Thanks to <a href="https://www.recurity-labs.com/">Recurity</a> for reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.9 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="recurity-assessment-loginstate-hmac-issues">Recurity assessment: loginState HMAC issues</h2>
<p>The construction of the HMAC key was insecurely derived. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10112">CVE-2019-10112</a>.</p>
<p>Thanks to <a href="https://www.recurity-labs.com/">Recurity</a> for reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.9 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="recurity-assessment-open-redirect">Recurity assessment: open redirect</h2>
<p>Within the <code>GeoAuthController</code> for the secondary Geo node, a redirect is triggered after successful authentication which was subject to an open redirect vulnerability. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10117">CVE-2019-10117</a>.</p>
<p>Thanks to <a href="https://www.recurity-labs.com/">Recurity</a> for reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.9 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="pdfjs-vulnerable-to-cve-2018-5158">PDF.js vulnerable to CVE-2018-5158</h2>
<p>The version of PDF.js embedded in Gitlab is 1.8.172, which is vulnerable to CVE-2018-5158. Per the summary, attacker-supplied JavaScript will be executed in a web worker context. Please see https://bugzilla.mozilla.org/show_bug.cgi?id=1452075 for more details about the CVE. The issue is now mitigated in the latest release.</p>
<p>Thanks to <a href="https://hackerone.com/certifiable">@certifiable</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.5 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="idor-labels-of-private-projectsgroups">IDOR labels of private projects/groups</h2>
<p>An authorization issue was discovered which allowed non-members of a private project/group to add and read labels. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10108">CVE-2019-10108</a>.</p>
<p>Thanks to @vijay_kumar1110](https://hackerone.com/indoappsec?type=user) for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.11.4 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h2 id="exif-geolocation-data-not-stripped-from-uploaded-images">EXIF geolocation data not stripped from uploaded images</h2>
<p>Images uploaded to GitLab were not stripped of EXIF geolocation data. As a result, anyone with access to the uploaded image could obtain the its geolocation, device, and software version data, if present. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10109">CVE-2019-10109</a>.</p>
<p><strong>Note:</strong> if you are using CentOS Minimal, you may need to install <code>perl</code> package: <code>yum install perl</code></p>
<p>Thanks to <a href="https://hackerone.com/jackb898?type=user">@jackb898</a> and <a href="https://hackerone.com/rgupt">@rgupt</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects all previous versions of GitLab.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p>
<h3 id="additional-notes-for-removing-existing-uploads">Additional notes for removing existing uploads</h3>
<p>Since 11.9, EXIF data are automatically stripped from JPG or TIFF image uploads.
Because EXIF data may contain sensitive information (e.g. GPS location), you
may also choose to remove EXIF data from images which were uploaded to older versions of GitLab
with <a href="https://docs.gitlab.com/ee/administration/raketasks/uploads/sanitize.html">the rake task</a></p>
<h2 id="updating">Updating</h2>
<p>To update GitLab, see the <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/blogimages/security-cover-new.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.8.3 and 11.7.7https://about.gitlab.com/releases/2019/03/20/critical-security-release-gitlab-11-dot-8-dot-3-released/2019-03-20T00:00:00+00:002019-03-20T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.8.3 and 11.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="project-runner-registration-token-exposed-through-issues-quick-actions">Project Runner Registration Token Exposed Through Issues Quick Actions</h2>
<p>GitLab issues quick actions were vulnerable to an information disclosure issue that disclosed project runner registration tokens to unauthorized users. The issue is now mitigated in the latest release
and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9866">CVE-2019-9866</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.4 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-mattermost-to-version-565-in-gitlab-117">Upgrade Mattermost to Version 5.6.5 in GitLab 11.7</h2>
<p>The Mattermost integration was updated to version 5.6.5 for the GitLab 11.7 package. Included in this Mattermost release are several security fixes.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.8.1, 11.7.6, and 11.6.10https://about.gitlab.com/releases/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/2019-03-04T00:00:00+00:002019-03-04T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.8.1, 11.7.6, and 11.6.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="arbitrary-file-read-via-mergerequestdiff">Arbitrary file read via MergeRequestDiff</h2>
<p>A problem with lack of input validation was discovered for MergeRequestDiff objects which resulted in an arbitrary local file read. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9221">CVE-2019-9221</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="idor-add-publicinternal-groups-as-members-to-project">IDOR add <code>public</code>/<code>internal</code> groups as members to project</h2>
<p>An IDOR was discovered which could allow project owners to add <code>public</code>/<code>internal</code> groups, of which they are not a member, to their project. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9756">CVE-2019-9756</a>.</p>
<p>Thanks to <a href="https://hackerone.com/indoappsec?type=user">@vijay_kumar1110</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.8.0 and earlier.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="csrf-add-kubernetes-cluster-integration">CSRF add Kubernetes cluster integration</h2>
<p>The Kubernetes integration feature was vulnerable to CSRF which could result in overwriting an existing Kubernetes integration with the attacker's cluster. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9176">CVE-2019-9176</a>.</p>
<p>Thanks to <a href="https://hackerone.com/cache-money">@cache-money</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.1 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="blind-ssrf-in-prometheus-integration">Blind SSRF in prometheus integration</h2>
<p>The prometheus integration feature was vulnerable to SSRF which could result access to internal services. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9174">CVE-2019-9174</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.0 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="merge-request-information-disclosure">Merge request information disclosure</h2>
<p>Projects configured with MRs accessible only by project members were subject to information disclosure to non-members via a specific API endpoint. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9172">CVE-2019-9172</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.7 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="idor-milestone-name-information-disclosure">IDOR milestone name information disclosure</h2>
<p>The milestone picker was vulnerable to an IDOR which resulted in disclosure of milestone names. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9170">CVE-2019-9170</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 2.9.0 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="burndown-chart-information-disclosure">Burndown chart information disclosure</h2>
<p>The burndown chart feature was inadvertently leaking confidential issue attribute information. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9175">CVE-2019-9175</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 7.9 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="private-merge-request-titles-in-public-project-information-disclosure">Private merge request titles in public project information disclosure</h2>
<p>The milestones tab was inadvertently leaking private merge request titles to the public. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9178">CVE-2019-9178</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.12 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="private-namespace-disclosure-in-email-notification-when-issue-is-moved">Private namespace disclosure in email notification when issue is moved</h2>
<p>When an issue is moved to a private namespace, the email notification was inadvertently disclosing the project path which it was moved to. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9179">CVE-2019-9179</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.7 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="users-with-restricted-repo-access-can-access-and-create-discussions-on-commits">Users with restricted repo access can access and create discussions on commits</h2>
<p>A permissions issue was discovered for access to discussions/notes on commits. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9890">CVE-2019-9890</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.8.0 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="milestone-name-disclosure">Milestone name disclosure</h2>
<p>When a project is public and issues are set to <code>Only Project Members</code>, milestone names are able to be disclosed via the milestone autocomplete and board endpoints. These issues are now mitigated in the latest release and are assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9171">CVE-2019-9171</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9224">CVE-2019-9224</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.16 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="issue-board-name-disclosure">Issue board name disclosure</h2>
<p>When a project is public and issues are set to <code>Only Project Members</code>, issue board names are able to be disclosed via the boards and boards list API endpoints. These issues are now mitigated in the latest release and are assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9225">CVE-2019-9225</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9219">CVE-2019-9219</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> and <a href="https://hackerone.com/indoappsec?type=user">@vijay_kumar1110</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.16 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="npm-automatic-package-referencer">NPM automatic package referencer</h2>
<p>The automatic package referencer contained an issue where victims could be tricked into installing and executing a malicious package from the npm registry. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9217">CVE-2019-9217</a>.</p>
<p>Thanks to <a href="https://hackerone.com/edoverflow">@edoverflow</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.16 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="path-traversal-snippet-mover">Path traversal snippet mover</h2>
<p>The logic to move snippets contained a path traversal vulnerability which is currently resulting in a denial of service but could result in data exposure. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9222">CVE-2019-9222</a>.</p>
<p>Thanks to <a href="https://hackerone.com/pindakaas">@pindakaas</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.3 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="information-disclosure-repo-existence">Information disclosure repo existence</h2>
<p>An information disclosure was discovered which could allow an attacker to determine the existence of a private repo by attempting to clone it. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9223">CVE-2019-9223</a>.</p>
<p>Thanks to <a href="https://gitlab.com/tim241">Tim Wanders</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.15 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="issue-dos-via-mermaid">Issue DoS via Mermaid</h2>
<p>An input validation issue was discovered in the issue page markdown field which could result in a DoS on the affected issue. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9220">CVE-2019-9220</a>.</p>
<p>Thanks to <a href="https://hackerone.com/8ayac">@8ayac</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.2 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="privilege-escalation-impersonate-user">Privilege escalation impersonate user</h2>
<p>The impersonate user feature contained a vulnerability which could allow for the user being impersonated to escalate privileges. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9485">CVE-2019-9485</a>.</p>
<p>Thanks to <a href="https://hackerone.com/skavans">@skavans</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.8 and later.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="validate-inresponseto-when-linking-gitlabcom-group-saml">Validate InResponseTo when linking GitLab.com Group SAML</h2>
<p>GitLab.com is now validating the <code>InResponseTo</code> field in the SAML response matches the unique ID we generated for the initial request in order to prevent account hijacking. Note that GitLab.com issues cannot be assigned CVE IDs.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab.com Only.</p>
<h3 id="remediation-17">Remediation</h3>
<p>The patch has already been applied to GitLab.com</p>
<h2 id="permissions-issue-gitlabcom-group-saml">Permissions issue GitLab.com Group SAML</h2>
<p>Disabling the Group SAML option, after previously enabling it, could still allow users to join via SAML SSO. Note that GitLab.com issues cannot be assigned CVE IDs.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-18">Versions Affected</h3>
<p>Affects GitLab.com Only.</p>
<h3 id="remediation-18">Remediation</h3>
<p>The patch has already been applied to GitLab.com</p>
<h2 id="omnibus-updates">Omnibus updates</h2>
<p>Non-security updates for the <code>gitlab-ctl restart unicorn</code> <code>restart_command</code> have been applied. Please see https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/3062 for more details regarding this update.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.7.4 and 11.6.9https://about.gitlab.com/releases/2019/02/05/critical-security-release-gitlab-11-dot-7-dot-4-released/2019-02-05T00:00:00+00:002019-02-05T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.7.4 and 11.6.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="leak-of-confidential-issue-and-merge-request-titles">Leak of Confidential Issue and Merge Request Titles</h2>
<p>GitLab Releases were vulnerable to an authorization issue that allowed users to view confidential issue and merge request titles of other projects. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7353">CVE-2019-7353</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.7 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-user-status">Persistent XSS in User Status</h2>
<p>A regression was identified in the patch for a persistent XSS attack in user status. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6796">CVE-2019-6796</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.6 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.7.3, 11.6.8, 11.5.10https://about.gitlab.com/releases/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/2019-01-31T00:00:00+00:002019-01-31T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.7.3, 11.6.8, and 11.5.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>These versions are the public releases following 11.7.0, 11.6.5, and 11.5.7. The intermediate versions were not made public for quality assurance reasons.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="remote-command-execution-via-gitlab-pages">Remote Command Execution via GitLab Pages</h2>
<p>GitLab Pages contained a directory traversal vulnerability that could lead to remote command execution. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6783">CVE-2019-6783</a>.</p>
<p>Thanks to <a href="https://hackerone.com/bink">@bink</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE 8.17, and EE 8.3 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="covert-redirect-to-steal-githubbitbucket-tokens">Covert Redirect to Steal GitHub/Bitbucket Tokens</h2>
<p>For installations using GitHub or Bitbucket OAuth integrations, it was possible to use a <a href="http://tetraph.com/covert_redirect/">covert redirect</a> to obtain the user OAuth token for those services. This release moves the OAuth callbacks to a common path to mitigate the issue. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6788">CVE-2019-6788</a>.</p>
<p>Thanks to @mishre and <a href="https://hackerone.com/yipman">@yipman</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.4 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<p><em>Necessary Action:</em> It is necessary to append <code>/users/auth</code> to the callback URL in GitHub or Bitbucket to fully protect against this issue. Please see our pages on the <a href="https://docs.gitlab.com/ee/integration/github.html">GitHub</a> and <a href="https://docs.gitlab.com/ee/integration/bitbucket.html">Bitbucket</a> integrations for more information.</p>
<h2 id="remote-mirror-branches-leaked-by-git-transfer-refs">Remote Mirror Branches Leaked by Git Transfer Refs</h2>
<p>A Gitv2 feature used to hide certain internal references does not function correctly, and can reveal hidden refs. This release disables Gitv2 in GitLab until the problem is resolved. No additional action is required, even if Gitv2 was manually configured.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.4 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="denial-of-service-with-markdown">Denial of Service with Markdown</h2>
<p>It was found that inputting an overly long string into a Markdown field could cause a denial of service. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6785">CVE-2019-6785</a>.</p>
<p>Thanks to <a href="https://hackerone.com/8ayac">@8ayac</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 7.4 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="guests-can-view-list-of-group-merge-requests">Guests Can View List of Group Merge Requests</h2>
<p>Guest users were able to view the list of a group's merge requests. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6790">CVE-2019-6790</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.14 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="guest-can-view-merge-request-titles-via-system-notes">Guest Can View Merge Request Titles via System Notes</h2>
<p>System notes contained an access control issue that permitted a guest user to view merge request titles. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6997">CVE-2019-6997</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.7 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-via-katex">Persistent XSS via KaTeX</h2>
<p>Markdown fields contained a lack of input validation and output encoding when processing KaTeX that resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6784">CVE-2019-6784</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jouko">@jouko</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="emails-sent-to-unauthorized-users">Emails Sent to Unauthorized Users</h2>
<p>In some cases, users without project permissions received emails after a project move. For private projects, this would disclose the new project namespace to an unauthorized user. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6789">CVE-2019-6789</a>.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 6.5 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="hyperlink-injection-in-notification-emails">Hyperlink Injection in Notification Emails</h2>
<p>It was possible to use the profile name to inject a potentially malicious link into notification emails. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6781">CVE-2019-6781</a>.</p>
<p>Thanks to <a href="https://hackerone.com/corb3nik">@corb3nik</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-access-to-lfs-objects">Unauthorized Access to LFS Objects</h2>
<p>The contents of an LFS object could be accessed by an unauthorized user, if the file size and OID were known. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6786">CVE-2019-6786</a>.</p>
<p>Thanks to Maxim Ivanov for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.16 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="trigger-token-exposure">Trigger Token Exposure</h2>
<p>The GitLab API contained an authorization issue that permitted project Maintainers and Owners to view the trigger tokens of other project users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6787">CVE-2019-6787</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.12 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-rails-to-5071-and-4211">Upgrade Rails to 5.0.7.1 and 4.2.11</h2>
<p>This release upgrades the version of Ruby on Rails included in GitLab to address <a href="https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw">CVE-2018-16476</a>. GitLab versions 11.7 and 11.6 will now use Rails 5.0.7.1, and GitLab 11.5 will now use 4.2.11</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.3 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="contributed-project-information-visible-in-private-profile">Contributed Project Information Visible in Private Profile</h2>
<p>Due to an authorization issue the contributed project information of a private profile could be viewed. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6782">CVE-2019-6782</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="imported-project-retains-prior-visibility-setting">Imported Project Retains Prior Visibility Setting</h2>
<p>When a project with visibility more permissive than the target group was imported, it would retain its prior visibility. This release will now change the visibility of the project to the visibility of the group. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6791">CVE-2019-6791</a>.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.9 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="error-disclosure-on-project-import">Error disclosure on Project Import</h2>
<p>When an error was encountered on project import, the error message would display instance internal information. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6792">CVE-2019-6792</a>.</p>
<p>Thanks to @nyangawa for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.9 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-user-status">Persistent XSS in User Status</h2>
<p>The user status field contained a lack of input validation and output encoding that resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6796">CVE-2019-6796</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.6 and later.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="last-commit-status-leaked-to-guest-users">Last Commit Status Leaked to Guest Users</h2>
<p>A project guest user could view the last commit status of the default branch. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6794">CVE-2019-6794</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="mitigations-for-idn-homograph-and-rtlo-attacks">Mitigations for IDN Homograph and RTLO Attacks</h2>
<p>IDN homographs and RTLO characters were rendered to unicode, which could be used for social engineering. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6795">CVE-2019-6795</a>.</p>
<p>Thanks to <a href="https://hackerone.com/edoverflow">@edoverflow</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="access-to-internal-wiki-when-external-wiki-enabled">Access to Internal Wiki When External Wiki Enabled</h2>
<p>Access to the internal wiki was permitted when an external wiki service was enabled. With this release, each type of wiki will be managed and displayed separately in the UI. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6960">CVE-2019-6960</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-18">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.3 and later.</p>
<h3 id="remediation-18">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="user-can-comment-on-locked-project-issues">User Can Comment on Locked Project Issues</h2>
<p>Users were able to comment on locked project issues. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6995">CVE-2019-6995</a>.</p>
<p>Thanks to <a href="https://hackerone.com/flashdisk">@flashdisk</a> and <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-19">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.6 and later.</p>
<h3 id="remediation-19">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-reaction-emojis-by-guest-users">Unauthorized Reaction Emojis by Guest Users</h2>
<p>Guest users were able to add reaction emojis on comments to which they had no visibility. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7176">CVE-2019-7176</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-20">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.9 and later.</p>
<h3 id="remediation-20">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="user-retains-project-role-after-removal-from-private-group">User Retains Project Role After Removal from Private Group</h2>
<p>A user would retain their role within a project in a private group after being removed from the group, if their privileges within the project were different from the group. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7155">CVE-2019-7155</a>.</p>
<p>Thanks to <a href="https://hackerone.com/rpadovani">@rpadovani</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-21">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.0 and later.</p>
<h3 id="remediation-21">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="github-token-leaked-to-maintainers">GitHub Token Leaked to Maintainers</h2>
<p>The GitHub token used in <strong>CI/CD for External Repos</strong> was being leaked to project maintainers in the UI. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6797">CVE-2019-6797</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-22">Versions Affected</h3>
<p>Affects GitLab EE 10.6 and later.</p>
<h3 id="remediation-22">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthenticated-blind-ssrf-in-jira-integration">Unauthenticated Blind SSRF in Jira Integration</h2>
<p>The Jira integration feature was vulnerable to an unauthenticated blind SSRF issue. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6793">CVE-2019-6793</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-23">Versions Affected</h3>
<p>Affects GitLab EE 10.0 and later.</p>
<h3 id="remediation-23">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-access-to-group-membership">Unauthorized Access to Group Membership</h2>
<p>The merge request approvers section had an access control issue that permitted project maintainers to view membership of private groups. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6996">CVE-2019-6996</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-24">Versions Affected</h3>
<p>Affects GitLab EE 10.6 and later.</p>
<h3 id="remediation-24">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="validate-saml-response-in-group-saml-sso">Validate SAML Response in Group SAML SSO</h2>
<p>In preparation for enhanced group SAML SSO support in GitLab.com, additional validations were added to the group SAML implementation to validate that an SSO request was initiated from GitLab.com. This will ensure that a malicious user is unable to trick users into linking their account to a malicious IdP.</p>
<h3 id="versions-affected-25">Versions Affected</h3>
<p>Affects GitLab EE 10.8 and later.</p>
<h3 id="remediation-25">Remediation</h3>
<p>This enhancement currently applies only to GitLab.com</p>
<p><em>Updated: 2019-02-07</em></p>
<h2 id="pipelines-section-is-available-to-unauthorized-users">Pipelines section is available to unauthorized users</h2>
<p>The GitLab pipelines feature was vulnerable to authorization issues that allowed unauthorized users to view job information. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7549">CVE-2019-7549</a>.</p>
<p>Thanks to <a href="https://gitlab.com/Soullivaneuh">Sullivan Senechal</a>, <a href="https://hackerone.com/xanbanx">@xanbanx</a>, and <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-26">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.1 and later.</p>
<h3 id="remediation-26">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.6.4, 11.5.7, 11.4.14https://about.gitlab.com/releases/2019/01/16/critical-security-release-gitlab-11-dot-6-dot-4-released/2019-01-16T00:00:00+00:002019-01-16T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.6.4, 11.5.7, and 11.4.14 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="arbitrary-repo-read-in-gitlab-project-import">Arbitrary repo read in Gitlab project import</h2>
<p>The project import feature contained a lack of archive validation which could result in an arbitrary repo read. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6240">CVE-2019-6240</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.9 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.6.1, 11.5.6, 11.4.13https://about.gitlab.com/releases/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/2018-12-31T00:00:00+00:002018-12-31T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.6.1, 11.5.6, and 11.4.13 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="source-code-disclosure-merge-request-diff">Source code disclosure merge request diff</h2>
<p>The merge request diff feature was missing an authorization control which resulted in source code disclosure of public or internal projects with a repository available to team members only. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20493">CVE-2018-20493</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.17 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="todos-improper-access-control">Todos improper access control</h2>
<p>The todos component was vulnerable to an improper access control issue which could've resulted in access to confidential issues or merge requests. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20492">CVE-2018-20492</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="url-rel-attribute-not-set">URL <code>rel</code> attribute not set</h2>
<p>The <code>rel</code> attribute was not set for some URLs in a markdown field. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20489">CVE-2018-20489</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> from HackerOne for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.1 and later.</p>
<h2 id="persistent-xss-autocompletion">Persistent XSS Autocompletion</h2>
<p>An attribute used in autocompletion contained an input validation and output encoding issue which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20490">CVE-2018-20490</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jouko">@jouko</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.2 and later.</p>
<h2 id="ssrf-repository-mirroring">SSRF repository mirroring</h2>
<p>The repository mirroring feature was vulnerable to an SSRF issue. It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20497">CVE-2018-20497</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<p>By default, this fix forbids importing projects or mirroring repositories in the same network. In order to allow URLs pointing to the local network, the option located in <code>Admin > Settings > Network > Outbound requests > Allow requests to the local network from hooks and services</code> has to be enabled.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.7.0 and later.</p>
<p><em>Updated: 2019-01-14:</em> A similar SSRF issue in <code>CI/CD Pipelines for External Repositories</code> was also mitigated with this fix. It now respects the <code>Outbound requests</code> setting above. Thanks to <a href="https://hackerone.com/math1as">@math1as</a> for responsibly reporting this vulnerability to us.</p>
<h2 id="ci-job-token-lfs-error-message-disclosure">CI job token LFS error message disclosure</h2>
<p>The CI job token was being disclosed in the job output due to an LFS error message. It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20495">CVE-2018-20495</a>.</p>
<p>Thanks to <a href="https://gitlab.com/Nowaker">Damian Nowak</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3 and later.</p>
<h2 id="secret-ci-variable-exposure">Secret CI variable exposure</h2>
<p>Secret CI variables can be exposed by creating a tag with the same name as an existing protected branch. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20488">CVE-2018-20488</a>.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.3 and later.</p>
<h2 id="guest-user-ci-job-disclosure">Guest user CI job disclosure</h2>
<p>The CI jobs API endpoint contained an improper access control issue which resulted in guest users being able to access job information. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20494">CVE-2018-20494</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.4 and later.</p>
<h2 id="persistent-xss-label-reference">Persistent XSS label reference</h2>
<p>The markdown label references feature contained a lack of input validation and output encoding issue which resulted in a persistent XSS. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20496">CVE-2018-20496</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jouko">@jouko</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.10 and later.</p>
<h2 id="persistent-xss-wiki-in-ie-browser">Persistent XSS wiki in IE browser</h2>
<p>A persistent XSS issue was discovered in wiki markdown pages due to an issue of how Internet Explorer treats a certain configuration of the CSP header. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20491">CVE-2018-20491</a>.</p>
<p>Thanks to @ruvlol for responsibly reporting this vulnerability to us.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3. GitLab.com was not affected.</p>
<h2 id="ssrf-in-project-imports-with-lfs">SSRF in project imports with LFS</h2>
<p>The project imports feature was vulnerable to an SSRF issue which allowed an attacker to make requests to any local network resource accessible from the GitLab server. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20499">CVE-2018-20499</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.0 and later.</p>
<h2 id="improper-access-control-cicd-settings">Improper access control CI/CD settings</h2>
<p>The CI/CD settings contained an issue where the runner registration token could not be reset. This was a security risk if one of the maintainers leaves the group and they know the token. This issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20500">CVE-2018-20500</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.4 and later.</p>
<h2 id="missing-authorization-control-merge-requests">Missing authorization control merge requests</h2>
<p>A project member that has been removed from a private project retains control over the state, assignee, milestones, and labels of a merge request and issue. It is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20501">CVE-2018-20501</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> from HackerOne for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.12 and later.</p>
<h2 id="improper-access-control-branches-and-tags">Improper access control branches and tags</h2>
<p>Guest users were able to view branches and tag names, which is normally forbidden. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20498">CVE-2018-20498</a>.</p>
<p>Thanks to <a href="https://hackerone.com/bull">@bull</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.10 and later.</p>
<h2 id="missing-authentication-for-prometheus-alert-endpoint">Missing authentication for Prometheus alert endpoint</h2>
<p>The GitLab Prometheus integration alert endpoint was lacking authentication which could result in falsely generated notification emails. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20507">CVE-2018-20507</a>.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.2 and later.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.5.5, 11.4.12, 11.3.14https://about.gitlab.com/releases/2018/12/20/critical-security-release-gitlab-11-dot-5-dot-5-released/2018-12-20T00:00:00+00:002018-12-20T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.5.5, 11.4.12, and 11.3.14 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="arbitrary-file-read-in-gitlab-project-import">Arbitrary File read in Gitlab project import</h2>
<p>The project import feature contained a insecure file permissions issue due to how symlinks are processed which could result in an arbitrary file read. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20229">CVE-2018-20229</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech and @mishre for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.9 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.6RC7, 11.5.4, 11.4.11, 11.3.13https://about.gitlab.com/releases/2018/12/13/critical-security-release-gitlab-11-dot-5-dot-4-released/2018-12-13T00:00:00+00:002018-12-13T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.5.4, 11.4.11, and 11.3.13 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="arbitrary-file-read-in-gitlab-project-import-with-git-lfs">Arbitrary File read in GitLab project import with Git LFS</h2>
<p>GitLab Git LFS contained a validation issue during project import which could allow an attacker to read arbitrary files on a GitLab server. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20144">CVE-2018-20144</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<p><em>Updated: 2018-12-17:</em> We have received some questions regarding 11.6 Release Candidates. While, 11.6-RC7 also includes this security fix, but we do not recommend using RCs as they are not part of stable releases.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.5.3, 11.4.10, 11.3.12https://about.gitlab.com/releases/2018/12/06/critical-security-release-gitlab-11-dot-5-dot-3-released/2018-12-06T00:00:00+00:002018-12-06T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.5.3, 11.4.10, and 11.3.12 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="directory-traversal-in-templates-api">Directory Traversal in Templates API</h2>
<p>The templates api was vulnerable to a directory traversal issue which could allow an attacker to read arbitrary files on a GitLab server. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19856">CVE-2018-19856</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.11 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.5.1, 11.4.8, and 11.3.11https://about.gitlab.com/releases/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/2018-11-28T00:00:00+00:002018-11-28T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.5.1, 11.4.8, and 11.3.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="idor-at-issue-notes">IDOR at issue notes</h2>
<p>The issue comments feature contained an authorization bug which could allow an attacker to comment on a confidential issue which they shouldn't be allowed to. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5883">CVE-2019-5883</a>.</p>
<p>Thanks to <a href="https://hackerone.com/lucky_sen">@lucky_sen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 6.0 to 11.5.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="view-names-of-private-groups">View Names of Private Groups</h2>
<p>The Todos dashboard permitted an unauthorized user to view the names of private groups. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19494">CVE-2018-19494</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ashish_r_padelkar">@ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.2 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-environments">Persistent XSS in Environments</h2>
<p>The Environments page contained a lack of input validation and output encoding issue which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19493">CVE-2018-19493</a>.</p>
<p>Thanks to <a href="https://hackerone.com/xanbanx">@xanbanx</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.0 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="ssrf-in-prometheus-integration">SSRF in Prometheus integration</h2>
<p>The Prometheus integration was vulnerable to an SSRF issue which allowed an attacker to make requests to any local network resource accessible from the GitLab server. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19495">CVE-2018-19495</a>.</p>
<p>Thanks to <a href="https://hackerone.com/bull">@bull</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.0 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-promotion-of-milestones">Unauthorized Promotion of Milestones</h2>
<p>Milestones were vulnerable to an insecure object reference issue where a user with insufficient privileges could promote a project milestone to a group milestone. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19496">CVE-2018-19496</a>.</p>
<p>Thanks to <a href="https://hackerone.com/sandeep_hodkasia">@sandeep_hodkasia</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.2 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="exposure-of-confidential-issue-title">Exposure of Confidential Issue Title</h2>
<p>The commits listing page in a project permitted an unauthorized user to view the title of a confidential issue. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19577">CVE-2018-19577</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.6 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persisent-xss-in-markdown-fields-via-mermaid-script">Persisent XSS in Markdown Fields via Mermaid Script</h2>
<p>Fields that accept Markdown contained incomplete input validation and output encoding when accepting Mermaid script, which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19573">CVE-2018-19573</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.3 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-markdown-fields-via-unrecognized-html-tags">Persistent XSS in Markdown Fields via Unrecognized HTML Tags</h2>
<p>Fields that accept Markdown contained incomplete input validation and output encoding when accepting unrecognized HTML tags, which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19570">CVE-2018-19570</a>.</p>
<p>Thanks to <a href="https://hackerone.com/otr">@otr</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="symlink-race-condition-in-pages">Symlink Race Condition in Pages</h2>
<p>GitLab Pages had a symlink race condition that would allow unauthorized access to files in the Pages chroot. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19572">CVE-2018-19572</a>.</p>
<p>Thanks to <a href="https://gitlab.com/waldi">Bastian Blank</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE 8.17 & EE 8.3 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-changes-by-guest-user-in-issues">Unauthorized Changes by Guest User in Issues</h2>
<p>GitLab issues were vulnerable to an insecure object reference issue that allowed a Guest user to make changes to, or delete their own comments after an issue had been made confidential. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19576">CVE-2018-19576</a>.</p>
<p>Thanks to <a href="https://hackerone.com/sandeep_hodkasia">@sandeep_hodkasia</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.6 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-comments-on-locked-issues">Unauthorized Comments on Locked Issues</h2>
<p>GitLab issues were vulnerable to an insecure object reference issue that allowed an unauthorized user to make comments after an issue had been locked. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19575">CVE-2018-19575</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.1 and later.</p>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="improper-enforcement-of-token-scope">Improper Enforcement of Token Scope</h2>
<p>The GitLab web interface was vulnerable to an authorization issue that allowed access to the web-UI as a user using their Personal Access Token (PAT) of any scope. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19569">CVE-2018-19569</a>.</p>
<p>With this fix, the use of PATs is limited to the API, the RSS feed, and the registry, which could break any existing automation scripts that don't use the API. The impact is expected to be limited.</p>
<p>Thanks to Jan Alsenz of Oneconsult AG for responsibly reporting this vulnerability to us.</p>
<p><em>Updated: 2018-11-28:</em> We have received reports that this change has impacted how repo files and job artifacts are downloaded for some users. For instructions on how to do so through the API, please see <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/54572#note_120859334">our support issue</a>. Thank you to the users participating in this issue. Your feedback is important to us.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.8 and later.</p>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="crlf-injection-in-project-mirroring">CRLF Injection in Project Mirroring</h2>
<p>When using the Git protocol, project mirroring was vulnerable to a CRLF injection vulnerability. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19585">CVE-2018-19585</a>.</p>
<p>Thanks to <a href="https://hackerone.com/chromium1337">@chromium1337</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-12">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.18 and later.</p>
<h3 id="remediation-12">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="xss-in-oauth-authorization">XSS in OAuth Authorization</h2>
<p>The OAuth authorization process contained a lack of input validation and output encoding which resulted in an XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19574">CVE-2018-19574</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-13">Versions Affected</h3>
<p>Affects GitLab CE/EE 7.6 and later.</p>
<h3 id="remediation-13">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="ssrf-in-webhooks">SSRF in Webhooks</h2>
<p>Webhooks were vulnerable to an SSRF vulnerability that allowed an attacker to make requests to any local network resource accessible from the GitLab server. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19571">CVE-2018-19571</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-14">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.18 and later.</p>
<h3 id="remediation-14">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="send-email-on-email-address-change">Send Email on Email Address Change</h2>
<p>Previously, GitLab did not send an email to the old email address when an email address change was made. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19580">CVE-2018-19580</a>.</p>
<p>Thanks to <a href="https://hackerone.com/muon4">@muon4</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-15">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE.</p>
<h3 id="remediation-15">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="workhorse-logs-contained-tokens">Workhorse Logs Contained Tokens</h2>
<p>Workhorse was logging access tokens, which allowed administrators with access to the logs to see the tokens of other users. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19583">CVE-2018-19583</a>.</p>
<h3 id="versions-affected-16">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.0 and later.</p>
<h3 id="remediation-16">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-publishing-of-draft-comments">Unauthorized Publishing of Draft Comments</h2>
<p>The discussion drafts endpoint, used in merge requests, contained an insecure object reference vulnerability that permitted an unauthorized user to publish the drafts of another user. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19582">CVE-2018-19582</a>.</p>
<p>Thanks to <a href="https://hackerone.com/lucky_sen">@lucky_sen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-17">Versions Affected</h3>
<p>Affects GitLab EE 11.4 and later.</p>
<h3 id="remediation-17">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="guest-can-set-weight-of-a-new-issue">Guest Can Set Weight of a New Issue</h2>
<p>GitLab issues were vulnerable to an insecure object reference issue that allowed a Guest user to set the weight of an issue they created. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19581">CVE-2018-19581</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-18">Versions Affected</h3>
<p>Affects GitLab EE 8.3 and later.</p>
<h3 id="remediation-18">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="disclosure-of-private-groups-members-and-milestones">Disclosure of Private Group's Members and Milestones</h2>
<p>An insecure direct object reference vulnerability in issue boards allowed authenticated, but unauthorized users to view members and milestone details of private groups. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19584">CVE-2018-19584</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-19">Versions Affected</h3>
<p>Affects GitLab EE 11.0 and later.</p>
<h3 id="remediation-19">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persisent-xss-in-operations">Persisent XSS in Operations</h2>
<p>The Operations page contained a lack of input validation and output encoding which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19579">CVE-2018-19579</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-20">Versions Affected</h3>
<p>Affects GitLab EE 11.5.</p>
<h3 id="remediation-20">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="reporter-can-view-operations-page">Reporter Can View Operations Page</h2>
<p>Due to incomplete permissions validation, a user with Reporter privileges was permitted to view the Jaeger Tracing Operations page. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19578">CVE-2018-19578</a>.</p>
<p>Thanks to <a href="https://hackerone.com/indoappsec?type=user">@vijay_kumar1110</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-21">Versions Affected</h3>
<p>Affects GitLab EE 11.5.</p>
<h3 id="remediation-21">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-to-redis-3212">Upgrade to Redis 3.2.12</h2>
<p>The version of Redis used in the Omnibus package was upgraded in the GitLab 11.3 release. This upgrade was previously included in GitLab 11.4 and 11.5 Omnibus packages, and includes several security fixes.
The upgrade to Redis was incorrectly reported in the <a href="/releases/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/">October security release</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.5.0-rc12, 11.4.6, 11.3.10https://about.gitlab.com/releases/2018/11/19/critical-security-release-gitlab-11-dot-4-dot-6-released/2018-11-19T00:00:00+00:002018-11-19T00:00:00+00:00Ethan Strike<p>Today we are releasing versions 11.5.0-rc12, 11.4.6, and 11.3.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="persistent-xss-autocompletion">Persistent XSS Autocompletion</h2>
<p>An attribute used in autocompletion contained an input validation and output encoding issue which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18643">CVE-2018-18643</a>.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE 11.2 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-service-template-creation">Unauthorized service template creation</h2>
<p>The project import feature contained an input validation issue that resulted in the ability for an unauthorized user to create service templates. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19359">CVE-2018-19359</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE 8.9 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<p><em>Updated: 2018-11-20:</em> We have received some questions regarding the XSS vulnerability in this release and a similar vulnerability reported in October. The fix in this release does correct an incomplete patch in the <a href="/releases/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/">October security release</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.4.4, 11.3.9, 11.2.8https://about.gitlab.com/releases/2018/11/01/critical-security-release-gitlab-11-dot-4-dot-4-released/2018-11-01T00:00:00+00:002018-11-01T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.4.4, 11.3.9, and 11.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="ssrf-in-kubernetes-integration">SSRF in Kubernetes integration</h2>
<p>The GitLab Kubernetes integration was vulnerable to a SSRF issue which could allow an attacker to make requests to access any internal URLs. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18843">CVE-2018-18843</a>.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab EE 11.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.4.3, 11.3.8, and 11.2.7https://about.gitlab.com/releases/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/2018-10-29T00:00:00+00:002018-10-29T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.4.3, 11.3.8, and 11.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="rce-in-gitlab-wiki-api">RCE in Gitlab Wiki API</h2>
<p>The wiki API contained an input validation issue which resulted in remote code execution. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18649">CVE-2018-18649</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.3 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="ssrf-in-hipchat-integration">SSRF in Hipchat integration</h2>
<p>The GitLab Hipchat integration was vulnerable to a SSRF issue which allowed an attacker to make requests to any local network resource accessible from the GitLab server. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18646">CVE-2018-18646</a>.</p>
<p>Thanks to <a href="https://hackerone.com/bull">@bull</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 5.3 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="cleartext-storage-of-personal-access-tokens">Cleartext storage of personal access tokens</h2>
<p>Personal access tokens were being stored unencrypted as plain text in the database which could result in attackers potentially reading them via SQL injection or other database leaks. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18641">CVE-2018-18641</a>.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.10.0 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="information-exposure-through-stack-trace-error-message">Information exposure through stack trace error message</h2>
<p>A JSON endpoint was disclosing Gem version information which could result in an attacker discovering vulnerable Gems available on a specific GitLab instance. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18648">CVE-2018-18648</a>.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.2 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-autocomplete">Persistent XSS autocomplete</h2>
<p>The fragment identifier (hash) of several pages in GitLab contained a lack of input validation and output encoding issue which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18643">CVE-2018-18643</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.2 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="information-exposure-in-stored-browser-history">Information exposure in stored browser history</h2>
<p>Private project pages had inadequate cache control, which resulted in unauthorized users being able to view them in the browser. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18640">CVE-2018-18640</a>.</p>
<p>Thanks to <a href="https://hackerone.com/8ayac">@8ayac</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="information-exposure-when-replying-to-issues-through-email">Information exposure when replying to issues through email</h2>
<p>It was found that when replying to an issue through email, with the GitLab email footer included, a user's unsubscribe link would be included in the issue. This information is considered sensitive. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18645">CVE-2018-18645</a>.</p>
<p>Thanks to <a href="https://gitlab.com/underyx">Bence Nagy</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects all versions of GitLab CE/EE</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-license-management-and-security-reports">Persistent XSS in License Management and Security Reports</h2>
<p>The license management and security reports pages contained a lack of input validation and output encoding which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18642">CVE-2018-18642</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Security Reports - Affects GitLab EE 10.4.0 and later
License Management - Affects GitLab EE 11.0.0 and later</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="metrics-information-disclosure-in-prometheus-integration">Metrics information disclosure in Prometheus integration</h2>
<p>The GitLab Prometheus integration was vulnerable to an indirect object reference issue which allowed an unauthorized user to see private information. This information includes the project name, environment name, metric name, and metric query. Additionally, an unauthorized user could create false alarms. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18644">CVE-2018-18644</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab EE 11.2 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="unauthorized-changes-to-a-protected-branchs-access-levels">Unauthorized changes to a protected branch's access levels</h2>
<p>The protected_branches api was vulnerable to an issue which allowed an unauthorized user to remove the <code>merge_access_levels</code> and <code>push_access_levels</code> objects. This could result in the inability of project participants to push or merge into the branch. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18647">CVE-2018-18647</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab EE 8.11 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-ruby-to-245">Upgrade Ruby to 2.4.5</h2>
<p>The version of Ruby used in the Omnibus package was upgraded to version 2.4.5. Included in this Ruby release are several security fixes.</p>
<h2 id="upgrade-redis-to-3212">Upgrade Redis to 3.2.12</h2>
<p>The version of Redis used in the Omnibus package was upgraded in the GitLab 11.2 and 11.3 releases. This upgrade was previously included in GitLab 11.4 Omnibus package. Included in this Redis release are several security fixes.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.3.4, 11.2.5, and 11.1.8https://about.gitlab.com/releases/2018/10/05/critical-security-release-11-3-4/2018-10-05T00:00:00+00:002018-10-05T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.3.4, 11.2.5, and 11.1.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="git-updates">Git updates</h2>
<p>We've included updated Git security versions 2.18.1 and 2.17.2 in this latest release for 11.3.4, 11.2.5, and 11.1.8.</p>
<p>For more information, see the Git <a href="https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/T/#u">release notes</a>.</p>
<h2 id="merge-request-information-disclosure">Merge request information disclosure</h2>
<p>The merge request JSON endpoint was inadvertently disclosing all <code>User</code> record data of a person associated with the discussion. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17939">CVE-2018-17939</a>.</p>
<h3 id="versions-affected">Versions affected</h3>
<p>Affects GitLab CE/EE 11.3, 11.2, and 11.1.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="private-project-namespace-information-disclosure">Private project namespace information disclosure</h2>
<p>The epic feature is leaking private project namespaces if someone adds a related issue to the epic. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17976">CVE-2018-17976</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<p>Affects GitLab CE/EE 10.2 - 11.3.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="gitlab-flavored-markdown-api-information-disclosure">Gitlab Flavored Markdown API information disclosure</h2>
<p>The GFM API is missing an authorization control which results in leaking confidential issue titles and private snippet titles. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17975">CVE-2018-17975</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<p>Affects GitLab CE 11.0 - 11.3.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.3.1, 11.2.4, and 11.1.7https://about.gitlab.com/releases/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/2018-10-01T00:00:00+00:002018-10-01T00:00:00+00:00James Ritchey<blockquote>
<p>Note: 11.1.7 is still vulnerable to these issues because of a mistake tagging the release. Please upgrade to <a href="/releases/2018/10/05/critical-security-release-11-3-4/">11.1.8</a>.</p>
</blockquote>
<p>Today we are releasing versions 11.3.1, 11.2.4, and 11.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="ssrf-gcp-access-token-disclosure">SSRF GCP access token disclosure</h2>
<p>The GitLab Kubernetes integration was vulnerable to a SSRF issue which allowed for access to any URL accessible from the GitLab server. For example, for users which run GitLab on GCP, an attacker with access to use the GitLab instance would have been able to determine the GCP service token for the GitLab host. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17450">CVE-2018-17450</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.2 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-on-issue-details">Persistent XSS on issue details</h2>
<p>The issue details page contained a lack of input validation and output encoding issue which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17454">CVE-2018-17454</a>.</p>
<p>Thanks to <a href="https://hackerone.com/8ayac">@8ayac</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.3 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="diff-formatter-dos-in-sidekiq-jobs">Diff formatter DoS in Sidekiq jobs</h2>
<p>The diff formatter using <code>rouge</code> lacks timeout in Sidekiq jobs which can result in a denial of service. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15472">CVE-2018-15472</a>.</p>
<p>Thanks to <a href="https://gitlab.com/waldi">Bastian Blank</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 7.6 and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="confidential-information-disclosure-in-events-api-endpoint">Confidential information disclosure in events API endpoint</h2>
<p>The events API contained insecure direct object reference issue which resulted in disclosure of confidential issues, comments, and titles of public projects. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17449">CVE-2018-17449</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.3 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="validate_localhost-function-in-url_blockerrb-could-be-bypassed"><code>validate_localhost</code> function in <code>url_blocker.rb</code> could be bypassed</h2>
<p>The <code>validate_localhost</code> function was missing a check for loopback addresses which could result in SSRF issues. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17452">CVE-2018-17452</a>.</p>
<p>Thanks to <a href="https://hackerone.com/math1as">@math1as</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.3 and up.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="slack-integration-csrf-oauth2">Slack integration CSRF Oauth2</h2>
<p>The Slack integration contained a CSRF issue which could allow an attacker to issue slash commands on behalf of the victim. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17451">CVE-2018-17451</a>.</p>
<p>Thanks to <a href="https://hackerone.com/ngalog">@ngalog</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.4 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="grpcunknown-logging-token-disclosure"><code>GRPC::Unknown</code> logging token disclosure</h2>
<p>The <code>GRPC::Unknown</code> exception was disclosing access tokens in Sentry logs. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17453">CVE-2018-17453</a>.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.4 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="idor-merge-request-approvals">IDOR merge request approvals</h2>
<p>The merge request approvals component contained an insecure direct object reference vulnerability which resulted in disclosure of private group names, avatars, LDAP settings, and descriptions. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17455">CVE-2018-17455</a>.</p>
<p>Thanks to <a href="https://hackerone.com/jobert">@jobert</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<p>Affects GitLab EE 8.13 and later.</p>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-packagejson">Persistent XSS <code>package.json</code></h2>
<p>When a <code>package.json</code> file is present, the blog-viewer will display a notice when browsing the repository which lacks input validation and output encoding which can result in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17537">CVE-2018-17537</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.4 and later.</p>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-merge-request-project-import">Persistent XSS merge request project import</h2>
<p>The merge request page contained a lack of input validation and output encoding issue which resulted in a persistent XSS. The issue is now mitigated in the latest release and is assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17536">CVE-2018-17536</a>.</p>
<p>Thanks to <a href="https://hackerone.com/isra17">@isra17</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.4 and later.</p>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />Exposure of Confidential Issues on Public Projects through the Events API https://about.gitlab.com/releases/2018/10/01/events-api-security-issue/2018-10-01T00:00:00+00:002018-10-01T00:00:00+00:00Kathy Wang<h2 id="summary">Summary</h2>
<p>On September 20, 2018, we were notified by HackerOne hacker <a href="https://hackerone.com/ngalog/">ngalog</a> of a bug in GitLab Events API code that resulted in exposure of confidential issues within all public projects.</p>
<p>Upon further validation and investigation, we discovered that this exposure dates back to June 22, 2017, with the 9.3 release. GitLab’s Events API was returning private events related to projects that were marked as public during that time frame. These events included information that was marked as private, such as confidential issues and private merge requests, among others. The issue was present in all versions of GitLab between 9.3 and 11.3, and across all deployments, including GitLab.com.</p>
<p>The exposure of these private events was present only through the API, whereas the UI behaved as-intended and filtered these events.</p>
<p>All projects that were marked as public are affected by this exposure. This issue has already been mitigated for all GitLab.com customers. Projects marked as private were not impacted by this issue.</p>
<p>We investigated four months of retained GitLab.com logs, and found no evidence that unauthorized parties accessed any of your private events.</p>
<h2 id="background">Background</h2>
<p>The Events API was introduced with the release of GitLab 9.3, and it enabled users to programmatically access the activity log of projects and users. The adoption of this API has not been very wide, topping an average of 180 requests per hour.</p>
<p>Unfortunately, a bug was introduced at release time and the API would not honor the private flag of events related to numerous target types that belonged to public projects. As a result, events for said target types were exposed to potentially unauthenticated and unauthorized parties.</p>
<p>As documented in our <a href="https://docs.gitlab.com/ee/api/events.html#target-types">Events API documentation</a>, existing target types for the Events API are:</p>
<ul>
<li>Issue</li>
<li>Milestone</li>
<li>Merge_request</li>
<li>Note</li>
<li>Snippet</li>
<li>Project</li>
<li>User</li>
</ul>
<p>For projects that were marked as public, events belonging to private versions of all these target types were mistakenly returned by the /api/v4/users/:id/events and /api/v4/projects/:id/events API endpoints. What this means is that the following parts of a public project were exposed:</p>
<ul>
<li>Confidential issues</li>
<li>Private milestones</li>
<li>Private merge requests</li>
<li>Private notes</li>
<li>Private snippets</li>
</ul>
<h2 id="response-and-mitigation">Response and mitigation</h2>
<p>On September 20, 2018, we learned of the issue from HackerOne security researcher <a href="https://hackerone.com/ngalog/">ngalog</a>, who is part of our bounty program, and with whom we have a track record of great engagements. Upon assessing the issue, the GitLab Security Team started working with the Create team to mitigate the issue. Besides working on the fix, the Create team also produced a hotfix, which the Production team deployed for GitLab.com on September 21, 2018. By September 24, 2018, the Production team confirmed that the hotfix was successfully deployed across all affected GitLab.com infrastructure.</p>
<p>The discovery of this issue aligned with the release of our planned Security Release on October 1, 2018. In order to avoid any mishaps with its implementation, we decided proceed with the release as originally planned.</p>
<h2 id="who-was-impacted">Who was impacted?</h2>
<p>Given the wide time window during which the issue was present (more than a year), we are unable to determine with accuracy the extent of the impact. While we don’t have any indication that the issue was ever misused, we are also unable to say with any certainty that it hasn’t been.</p>
<p>We investigated four months of retained GitLab.com logs, and found no evidence that unauthorized parties accessed any of your private events.</p>
<h2 id="improvements">Improvements</h2>
<p>Since the discovery of the issue, a cross-functional effort has been executed at GitLab in order to identify and improve on safeguards that could have helped us identify this issue sooner, respond more quickly, and ensure the reliability of our patched systems. As such, we are working on numerous improvements to our internal processes and practices. This includes the following highlights:</p>
<ul>
<li>Our QA process will improve its focus on <a href="https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/14935/">tests related to confidential data</a>.</li>
<li>Our Engineering team will <a href="https://gitlab.com/gitlab-com/security/issues/211">create a canary system to alarm on unexpected responses and regressions</a> to security issues within GitLab APIs, and our Security team will monitor this canary system in order to triage and mitigate any discovered security issues.</li>
<li>Our Production and Release teams will <a href="https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/5116">define guardrails around deployments time windows</a>, taking in consideration several factors that might impact our ability to respond promptly to issues that arise during deployments.</li>
<li>Our Production and Release teams will <a href="https://gitlab.com/gitlab-com/gl-infra/gitlab-patcher/issues/13">improve</a> <a href="https://gitlab.com/gitlab-com/gl-infra/gitlab-patcher/issues/14">our</a> <a href="https://gitlab.com/gitlab-com/gl-infra/gitlab-patcher/issues/15">existing</a> <a href="https://gitlab.com/gitlab-com/gl-infra/gitlab-patcher/issues/16">tooling</a> to address issues that were identified while mitigating this event.</li>
<li>Several additional improvements that we cannot publicly disclose at this time in order to retain advantage over possible adversaries.</li>
</ul>
<p>We apologize for the impact this issue has caused our users. GitLab takes your information and your data extremely seriously and have more than quadrupled the size our internal security team in the last six months, with further plans to grow. We will learn from this incident and use it to improve upon our security posture even further.</p>
<p>In keeping with our company value of transparency we also believe in communicating about such incidents clearly and promptly. If you have any questions, please contact us via <a href="https://support.gitlab.com/">support.gitlab.com</a>.</p>
<p>Sincerely,
GitLab Security Team</p>
<p><em>Updated: 2018-10-11</em>: While generating the list of project owners and
maintainers, further analysis showed limited impact to private projects. For
private projects, the impact is limited to those with <code>Guest</code> users. Users
with only <code>Guest</code> permissions would have potentially been able to view
details for the confidential and private items as described. The owners and
maintainers of affected projects were notified, but this note was not
included in the email or the original version of this blog post.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.2.3, 11.1.6, and 11.0.6https://about.gitlab.com/releases/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/2018-08-28T00:00:00+00:002018-08-28T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.2.3, 11.1.6, and 11.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="persistent-xss-in-pipeline-tooltip">Persistent XSS in Pipeline Tooltip</h2>
<p>The tooltip of the job inside the CI/CD pipeline was not properly sanitized which resulted in a persistent XSS. The issue is now resolved in the latest release and will be assigned a CVE shortly.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.7 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="gitlabcom-gcp-endpoints-exposure">GitLab.com GCP Endpoints Exposure</h2>
<p>Zeroconf endpoints in Google Cloud Platform (GCP) would have been accessible
via webhooks post-migration. The issue is now resolved in the latest release
for gitlab.com.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> and <a href="https://hackerone.com/avlidienbrunn">@avlidienbrunn</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab.com and instances deployed to GCP.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-merge-request-changes-view">Persistent XSS in Merge Request Changes View</h2>
<p>The Merge Request <code>Changes</code> view was not properly sanitizing certain hunk locations which resulted in a persistent XSS. The issue is now resolved in the latest release and will be assigned a CVE shortly.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.1 and 11.2.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="sensitive-data-disclosure-in-sidekiq-logs">Sensitive Data Disclosure in Sidekiq Logs</h2>
<p>The project import url credentials were being output to the Sidekiq logs. The issue is now resolved in the latest release and will be assigned a CVE shortly.</p>
<p>Thanks to <a href="https://gitlab.com/kevinksd">@kevinksd</a> and <a href="https://gitlab.com/Johlandabee">@Johlandabee</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.10.0 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="missing-csrf-in-system-hooks">Missing CSRF in System Hooks</h2>
<p>There is a CSRF Vulnerability which allows an attacker to resend requests to multiple hooks. The "resend request" CSRF token is missing. For this reason attacker can trick user of gitlab to perform an unwanted action on a System Hook for which the user is currently authenticated.</p>
<p>Thanks to <a href="https://hackerone.com/sql00">Lyubomir Tsirkov</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab 2.7.0pre and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="orphaned-upload-files-exposure">Orphaned Upload Files Exposure</h2>
<p>Through various bugs, it is possible to orphan a project upload file so that it is not tracked by the uploads table. If the project is moved, then it is possible for another user to create a new project with the same path. Exporting that project will contain the orphaned file, and thus exposing data. The issue is now resolved in the latest release and will be assigned a CVE shortly.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.10.0 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="missing-authorization-control-api-repository-storage">Missing Authorization Control API Repository Storage</h2>
<p>Regular users are currently able to change the repository storage value using the API. The issue is now resolved in the latest release and will be assigned a CVE shortly.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab EE 8.10 and later.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-barometer">Upgrade barometer</h2>
<p>This version does not include any new migrations, and should not require any
downtime.</p>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="http://docs.gitlab.com/omnibus/update/README.html"><code>/etc/gitlab/skip-auto-migrations</code></a> file,
which is only used for <a href="https://docs.gitlab.com/omnibus/update/README.html">updates</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.1.2, 11.0.5, and 10.8.7https://about.gitlab.com/releases/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/2018-07-26T00:00:00+00:002018-07-26T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.1.2, 11.0.5, and 10.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="markdown-dos">Markdown DoS</h2>
<p>An <code>11.1.0</code> regression caused Markdown rendering times to slow exponentially, possibly leading to a denial of service. This issue is now resolved in the latest release and is assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14601">CVE-2018-14601</a>.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 11.1.0.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="information-disclosure-prometheus-metrics">Information Disclosure Prometheus Metrics</h2>
<p>GitLab Prometheus metrics was disclosing private project pathnames. This also affected the Prometheus instances on <code>dashboards.gitlab.com</code>. The issue is now resolved in the latest release and is assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14602">CVE-2018-14602</a>.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="csrf-in-system-hooks">CSRF in System Hooks</h2>
<p>The "Test" feature of the System Hooks component contained low severity CSRF vulnerability. The issue is now resolved in the latest release and is assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14603">CVE-2018-14603</a>.</p>
<p>Thanks to <a href="https://hackerone.com/sql00">Lyubomir Tsirkov</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 2.7.0pre and later.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-pipeline-tooltip">Persistent XSS Pipeline Tooltip</h2>
<p>The tooltip of the job inside the CI/CD pipeline was not properly sanitized and resulted in a persistent XSS. The issue is now resolved in the latest release and is assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14604">CVE-2018-14604</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.7 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-branch-name-via-web-ide">Persistent XSS in Branch Name via Web IDE</h2>
<p>The branch name was not properly sanitized when committing a file via the Web IDE which resulted in a persistent XSS. The issue is now resolved in the latest release and is assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14605">CVE-2018-14605</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.7 and later.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-milestone-promotion">Persistent XSS Milestone Promotion</h2>
<p>When promoting a Milestone, the name of the Milestone is not sanitized properly which results in the notification to trigger a persistent XSS. The issue is now resolved in the latest release and is assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14606">CVE-2018-14606</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.6 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="mattermost-updates">Mattermost Updates</h2>
<p>Mattermost has been updated to version 5.0.2, and it contains a security fix that's also been backported to 4.10.2.</p>
<p>For more information, see <a href="https://about.mattermost.com/security-updates/">Mattermost security updates page</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 11.0.4, 10.8.6, and 10.7.7https://about.gitlab.com/releases/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/2018-07-17T00:00:00+00:002018-07-17T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.0.4, 10.8.6, and 10.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="remote-code-execution-vulnerability-in-gitlab-projects-import">Remote Code Execution Vulnerability in GitLab Projects Import</h2>
<p>The GitLab projects import component contained a vulnerability which allowed an attacker to write files to arbitrary directories on the server and that could result in remote code execution. The vulnerability has now been mitigated and is assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14364">CVE-2018-14364</a>.</p>
<p>Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.9.0 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h3 id="additional-workarounds">Additional Workarounds</h3>
<ol>
<li>Go to <code>/admin/application_settings</code> of your GitLab instance.</li>
<li>Under "Import sources", uncheck the "GitLab export" checkbox.</li>
<li>Click <code>Save</code>.</li>
</ol>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 11.0.1, 10.8.5, and 10.7.6https://about.gitlab.com/releases/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/2018-06-25T00:00:00+00:002018-06-25T00:00:00+00:00James Ritchey<p>Today we are releasing versions 11.0.1, 10.8.5, and 10.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="wiki-xss">Wiki XSS</h2>
<p>The wiki contains a persistent XSS issue due to a lack of output encoding affecting a specific markdown feature. The issue is now resolved in the latest release. It has been assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12606">CVE-2018-12606</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 7.11 and later.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="sanitize-gem-updates">Sanitize gem updates</h2>
<p>The sanitize gem is updated to version 4.6.4 due to versions < 4.6.3 being affected by <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3740">CVE-2018-3740</a>.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 6.8.0 and later.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="xss-in-url_forparams">XSS in url_for(params)</h2>
<p>The usage of <code>url_for</code> contained a XSS issue due to it allowing arbitrary protocols as a parameter. The issue is now resolved in the latest release. It has been assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12605">CVE-2018-12605</a>.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.7 only. This is already fixed in 10.8 and up.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="content-injection-via-username">Content injection via username</h2>
<p>The username field contained an input validation issue which resulted in HTML content injection on several pages and could lead to phishing attacks. The issue is now resolved in the latest release.</p>
<p>Thanks to @talaohu28 for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab CE/EE 4.1 and later.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="activity-feed-publicly-displaying-internal-project-names">Activity feed publicly displaying internal project names</h2>
<p>The activity feed was disclosing membership and project-level events of internal projects, even when logged out. The issue is now resolved in the latest release.</p>
<p>Thanks to <a href="https://gitlab.com/ppjet6">@ppjet6</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.7 - 11.0.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-charts">Persistent XSS in charts</h2>
<p>The charts feature contained a persistent XSS issue due to a lack of output encoding. The issue is now resolved in the latest release. It has been assigned to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12607">CVE-2018-12607</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">@fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.5 and later.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 10.8.2, 10.7.5, and 10.6.6https://about.gitlab.com/releases/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/2018-05-29T00:00:00+00:002018-05-29T00:00:00+00:00James Ritchey<p>Today we are releasing versions 10.8.2, 10.7.5, and 10.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="git-updates">Git updates</h2>
<p>We've included updated Git security versions 2.16.4 and 2.14.4 in this latest release for 10.8.2, 10.7.5, and 10.6.6.</p>
<p>For more information, see <a href="https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/">Git release notes</a></p>
<h2 id="removing-public-deploy-keys-regression">Removing public deploy keys regression</h2>
<p>The <a href="https://docs.gitlab.com/ee/api/deploy_keys.html#delete-deploy-key">delete deploy key</a> operation contained a security issue which could allow an attacker to delete shared deploy keys. The issue is now resolved in the latest release.</p>
<p>Thanks to Christian Seelheim for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.1.6 and up.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="users-can-update-their-password-without-entering-current-password">Users can update their password without entering current password</h2>
<p>The settings page contained an unverified password change weakness which could've been used to reset a user's password without knowing the user's current password. This only worked if either the attacker had hijacked a victim's session or had access to a victim's email address to intercept a password reset token.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">Jobert</a> via <a href="https://hackerone.com/jobert">HackerOne</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 1.0 and up.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss---selecting-users-as-allowed-merge-request-approvers">Persistent XSS - Selecting users as allowed merge request approvers</h2>
<p>The merge request approvers dropdown in GitLab EE contained a persistent xss issue which is now resolved in the latest release.</p>
<p>Thanks to <a href="https://hackerone.com/phillycheeze">phillycheeze</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab EE 9.1 and up.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss---multiple-locations-of-user-selection-drop-downs">Persistent XSS - Multiple locations of user selection drop downs</h2>
<p>The user select drop down contained a persistent xss issue in GitLab EE which is now resolved in the latest release.</p>
<p>Thanks to <a href="https://hackerone.com/phillycheeze">phillycheeze</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<p>Affects GitLab EE 9.1 and up.</p>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="include-directive-in-gitlab-ciyml-allows-ssrf-requests"><code>include</code> directive in .gitlab-ci.yml allows SSRF requests</h2>
<p>Arbitrary GET request could be performed against internal resources due to <code>include</code> directive in .gitlab-ci.yml. Data exfiltration potential is limited to resources that respond with a YAML file following certain constraints. This issue is now resolved in the latest release.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<p>Affects GitLab EE 10.5 and up.</p>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="permissions-issue-in-merge-requests-create-service">Permissions issue in Merge Requests Create Service</h2>
<p>Users which were not project members could create merge requests via a fork for internal projects. This issue is now resolved in the latest release.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.6.</p>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="arbitrary-assignment-of-project-fields-using-import-project">Arbitrary assignment of project fields using "Import project"</h2>
<p>Any project model database column can be controlled on import by fields in the <code>project.json</code> of an exported project. This issue is now resolved in the latest release.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">Jobert</a> via <a href="https://hackerone.com/jobert">HackerOne</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<p>Affects GitLab CE/EE 10.4 and up.</p>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />Summary of limited download archive unauthorized access of repositories on GitLab.comhttps://about.gitlab.com/releases/2018/05/02/download-archive-security-vulnerability/2018-05-02T00:00:00+00:002018-05-02T00:00:00+00:00Kathy Wang<h2 id="summary">Summary</h2>
<p>From April 17, 2018 to April 24, 2018, a limited number of public and private repositories may have been inadvertently downloaded by unauthorized users on GitLab.com. GitLab user Lee Pugh notified us of this issue on April 23, 2018. The affected users represent 0.04 percent of our GitLab.com user base. While files generated by users would be unique for that repository, a recent change to support a use case to download the latest copy of the repository with the same filename inadvertently introduced this vulnerability.</p>
<p>This vulnerability affected GitLab.com users, and was mitigated as of April 23, 2018. None of the our on-prem users are affected by this vulnerability. We have notified the affected users via email, and are implementing a series of security enhancements to prevent such issues from happening again.</p>
<h2 id="accidental-unauthorized-access-of-download-archives">Accidental unauthorized access of download archives</h2>
<p>From April 17, 2018 to April 24, 2018, a subset of GitLab.com users were potentially affected by a security vulnerability where a limited number of public and private repositories may have been inadvertently downloaded by unauthorized users.</p>
<p>Prior to v10.7.0, a unique hash value was always included in the request for the archive file to processed by Workhorse, the subsystem responsible for performing slower operations on Git repositories. This meant any file generated by the user would generally be unique for that repository. With the release of v10.7.0, the <code>append_sha</code> parameter was made optional. The motivation of the change was to support the use case where the latest copy of the repository could be downloaded with the same filename.</p>
<p>However, this introduced a problem - a repository download archive request without this parameter will return the ArchivePath value without a unique ID. As a result of this change, an archive request for a second project with the same name will point to the same archive file. This vulnerability was mitigated in production within hours of discovery by disabling feature flags controlling the caching behavior. The vulnerability has been patched in the <a href="/releases/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released/">latest Security Release</a>.</p>
<h2 id="impact">Impact</h2>
<p>There is no evidence of malicious activity for the accidental unauthorized access of download archives. However, the detailed audit logs for our log aggregator only cover part of the seven days in question. Potentially affected users have received email notifications accordingly. Although there is no evidence to suggest it happened, in the worst case, a private repository could have been accidentally downloaded.</p>
<h2 id="mitigations">Mitigations</h2>
<p>Since the discovery, we have worked to investigate and mitigate all of these related security issues. We are continually improving our security processes and logging mechanisms to ensure that similar incidents will not occur again. These improvements include:</p>
<ul>
<li>Increase logging retention periods</li>
<li>Fine-grain access controls to all logging infrastructure</li>
<li>Add unit/integration tests to ensure consistent coding practices</li>
</ul>
<p>If your project or account is potentially affected by this security issue, you will receive an email notification listing affected projects.</p>
<p>We apologize for the impact this issue has caused our users. GitLab takes your information and your data extremely seriously. We will learn from this incident and use it to improve upon our security even further.</p>
<p>In keeping with our company value of transparency we also believe in communicating about such incidents clearly and promptly. If you have any questions, please contact <a href="mailto:security@gitlab.com">security@gitlab.com</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 10.7.2, 10.6.5, and 10.5.8https://about.gitlab.com/releases/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released/2018-04-30T00:00:00+00:002018-04-30T00:00:00+00:00James Ritchey<p>Today we are releasing versions 10.7.2, 10.6.5, and 10.5.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="persistent-xss-in-move-issue-using-project-namespace">Persistent XSS in 'Move Issue' using project namespace</h2>
<p>The <code>Move Issue</code> feature contained a persistent XSS vulnerability that is now resolved in the latest release. This issue has been assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10379">CVE-2018-10379</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.5 and up.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="download-archive-allowing-unauthorized-private-repo-access">Download Archive allowing unauthorized private repo access</h2>
<p>The <code>Download Archive</code> feature contained an improper authorization issue which is fixed in this release. Affected users will receive an email notification, and a separate blog post will be published with further details regarding this issue and its impact.</p>
<h2 id="mattermost-updates">Mattermost Updates</h2>
<p>We've included respective Mattermost security versions in 10.5 and 10.6. The omnibus-gitlab package for 10.7.0, already contains the Mattermost security update.</p>
<p>For more information, see <a href="https://about.mattermost.com/security-updates/">Mattermost security updates page</a></p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a></p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 10.6.3, 10.5.7, and 10.4.7https://about.gitlab.com/releases/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/2018-04-04T00:00:00+00:002018-04-04T00:00:00+00:00James Ritchey<p>Today we are releasing versions 10.6.3, 10.5.7, and 10.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="confidential-issue-comments-in-slack-mattermost-and-webhook-integrations">Confidential issue comments in Slack, Mattermost, and webhook integrations</h2>
<p>Comments on confidential issues were previously sent to webhooks and integrations when notifications were configured to send notes or comments. This applied to custom webhooks, Slack, and Mattermost notifications.</p>
<p>We've introduced a new option to control the sending of confidential notes as well as an option for specifying a different channel for Slack and Mattermost.</p>
<h3 id="versions-affected">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.6 and up.</p>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-milestones-data-milestone-id">Persistent XSS in milestones data-milestone-id</h2>
<p>The milestone dropdown feature contained a persistent XSS issue that is now resolved in the latest release. This issue has been assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9244">CVE-2018-9244</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<p>Affects GitLab CE/EE 9.2 and up.</p>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-in-filename-of-merge-request">Persistent XSS in filename of merge request</h2>
<p>Filenames in the changes tab contained a persistent XSS issue that is now resolved in the latest release. This issue has been assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9243">CVE-2018-9243</a>.</p>
<p>Thanks to <a href="https://hackerone.com/fransrosen">fransrosen</a> for responsibly reporting this vulnerability to us.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<p>Affects GitLab CE/EE 8.4 and up.</p>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-barometer">Upgrade barometer</h2>
<p>This release includes one database migration, which can be run without downtime. This migration adds a column to the
<code>services</code> table. Another background migration is launched to populate this value.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />Summary of limited GitLab credentials exposed in an internal logging systemhttps://about.gitlab.com/releases/2018/03/26/summary-of-limited-gitlab-credentials-exposed/2018-03-26T00:00:00+00:002018-03-26T00:00:00+00:00Kathy Wang<h2 id="summary">Summary</h2>
<p>From February 19, 2018 to March 19, 2018, some GitLab.com personal access tokens and third-party credentials were inadvertently exposed publicly via an unprotected logging dashboard. The affected users represent approximately 0.5 percent of our GitLab.com user base. While the dashboard was originally protected from unauthorized access, a recent configuration change made this internal system publically accessible.</p>
<p>Upon further review, we discovered a limited number of tokens and third-party credentials were incorrectly stored in this system. We’ve already mitigated all issues that led to this exposure. Our audit logs only cover a portion of the time the dashboard was exposed, but only one login resulted in a deep query that resulted in a personal access token being exposed. This activity was positively linked to the user that immediately disclosed the issue to us. As such, we have no evidence that any of the affected credentials were used in a malicious manner.</p>
<p>We have notified the affected users via email to update their credentials and are implementing a series of security enhancements to prevent such issues from happening again. Note that self-managed GitLab customers are entirely unaffected, as their credentials are stored in their own database and this logging functionality is off by default in self-managed instances.</p>
<h2 id="credentials-written-to-logs">Credentials written to logs</h2>
<p>On February 28, 2018 we discovered internally that GitLab’s Gitaly service was, in certain circumstances, mishandling the sanitization of private third-party credentials for push-mirrored and imported repositories. These unscrubbed credentials were then sent to our logging system (ELK) and our exception management system (Sentry).</p>
<p>During the investigation, we realized that some other credentials were also leaking into our HAProxy load balancers logs. These were personal access tokens used for GitLab API access when passed via query parameters in an HTTP request. Additionally, credentials that allow access to some third-party Git repositories were leaked into the logs. These have been fixed in the following:</p>
<ul>
<li><a href="https://gitlab.com/gitlab-org/gitaly/merge_requests/624">Sanitize URLs before logging them</a></li>
<li><a href="https://gitlab.com/gitlab-cookbooks/gitlab_fluentd/merge_requests/7">Sanitize private_token field in HA Proxy logs</a></li>
<li><a href="https://gitlab.com/gitlab-cookbooks/gitlab-oauth2-proxy/merge_requests/10">Reconfigure OAuth mechanism, removing ‘*’ email domain access</a></li>
</ul>
<h2 id="exposure-of-logs">Exposure of logs</h2>
<p>On March 19, 2018, GitLab user Ryan Hefner discovered an authentication misconfiguration on our internal logging dashboard. A configuration change was made incorrectly on February 19, 2018, which resulted in potential public read-only access to the centralized, internal logging server for GitLab. This misconfiguration was resolved immediately upon notification.</p>
<p>GitLab uses an OAuth proxy service to authenticate all access to our internal logging infrastructure. Previously, this proxy service had been correctly configured to only allow access to authorized GitLab engineers. However, in the course of migrating this proxy service to our new cloud infrastructure, we inadvertently introduced a misconfiguration that allowed anyone with a valid Google account read-only access to our internal logging server, instead of the intended behavior of allowing only authorized GitLab engineering accounts.</p>
<h2 id="impact">Impact</h2>
<p>There is no evidence of user credential abuse. However, the audit logs for the dashboard only cover seven of the 30 days in question. The only audit log activity accessing sensitive information was from the user that immediately reported the issue to GitLab. We found no evidence of abuse against the API itself. Regardless, we are taking every precaution, and strongly recommending all affected Gitlab.com users rotate their personal access tokens. Affected users have received further instructions via email notifications, accordingly.</p>
<p>Although there is no evidence to suggest it happened, in the worst case an attacker could have gained access and obtained personal access tokens used in API calls between February 19, 2018 and March 19, 2018.</p>
<h2 id="mitigations">Mitigations</h2>
<p>Since the discovery, we have worked to investigate and mitigate all of these related security issues. We are continually improving our security processes and logging mechanisms to ensure that similar incidents will not occur again. These improvements are:</p>
<ul>
<li>Increase logging retention periods</li>
<li>Fine-grain access controls to all logging infrastructure</li>
<li>Regular, periodic audits of all our logs</li>
<li>Adding mandatory review of any security-relevant changes by a GitLab Application Security engineer</li>
<li>Document this process in our runbooks to ensure repeatability</li>
<li>An additional measure we won't disclose because informing adversaries could render it less effective</li>
</ul>
<p>If your project or account is affected by this security issue, you will receive an email notification listing affected projects with steps to rotate your personal access tokens. To proactively change them visit this page: <a href="https://gitlab.com/profile/personal_access_tokens">https://gitlab.com/profile/personal_access_tokens</a>.</p>
<p>We apologize for the impact this issue has caused our users. GitLab takes your information and your data extremely seriously. We have quadrupled the size of our internal security team in the last six months and have further plans to grow. We will learn from this incident and use it to improve upon our security even further.</p>
<p>In keeping with our company value of transparency we also believe in communicating about such incidents clearly and promptly. If you have any questions, please contact <a href="mailto:security@gitlab.com">security@gitlab.com</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Critical Security Release: 10.5.6, 10.4.6, and 10.3.9https://about.gitlab.com/releases/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/2018-03-20T00:00:00+00:002018-03-20T00:00:00+00:00James Ritchey<p>Today we are releasing versions 10.5.6, 10.4.6, and 10.3.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>The vulnerability details will be made public on our issue tracker in approximately 30 days.</p>
<p>Please read on for more information regarding this release.</p>
<h2 id="ssrf-in-services-and-web-hooks">SSRF in services and web hooks</h2>
<p>There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution. This issue has been assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8801">CVE-2018-8801</a>.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">@jobert</a> from <a href="https://hackerone.com/jobert">HackerOne</a> for reporting this.</p>
<h3 id="versions-affected">Versions Affected</h3>
<ul>
<li>Affects GitLab CE/EE 8.3 and up</li>
</ul>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="gitlab-auth0-integration-issue">Gitlab Auth0 integration issue</h2>
<p>There was an issue with the GitLab <code>omniauth-auth0</code> configuration which resulted in the Auth0 integration signing in the wrong users.</p>
<p>Thanks to <a href="https://gitlab.com/trondhindenes">Trond Hindenes</a> for reporting this issue.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<ul>
<li>Affects GitLab CE 8.6 and up</li>
</ul>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h4 id="update-2018-03-21-700pm-utc">Update (2018-03-21 7:00PM UTC)</h4>
<p>In order to address the SSRF issue, we created a new checkbox setting to allow outbound requests to local networks (IPv4 and IPv6 private address ranges). This is currently unchecked by default.</p>
<p>The setting is located in <code>Admin area->Settings->Outbound Requests</code>. If you need to allow outbound requests to your local network for hooks and services, please enable this checkbox. Note that by checking this, your GitLab instance will be vulnerable to the SSRF issue mentioned above.</p>
<p>To provide a more flexible and improved solution, we may add a configurable whitelist at a future date.</p>
<h4 id="update-2018-03-23-900am-utc">Update (2018-03-23 9:00AM UTC)</h4>
<p>If you are currently using Auth0, the configuration will need to be updated slightly.</p>
<p>Check the <a href="https://docs.gitlab.com/ee/integration/auth0.html">Auth0 integration documentation</a> for the correct syntax.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />Announcing March 20, 2018 Critical Security Updatehttps://about.gitlab.com/releases/2018/03/16/gitlab-critical-release-preannouncement/2018-03-16T00:00:00+00:002018-03-16T00:00:00+00:00James Ritchey<p>On Tuesday, March 20th, 2018 at 23:59 UTC, we will publish a critical GitLab
security update. More details will be forthcoming on <a href="/blog/">our blog</a>, including which
versions of GitLab are affected.</p>
<p>We recommend installations running affected versions to upgrade
immediately. Please forward this alert to the appropriate people at your
organization and have them subscribe to <a href="/company/contact/#security-notices">Security Notices</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 10.5.3, 10.4.5, 10.3.8https://about.gitlab.com/releases/2018/03/06/security-10-5-3-plus-10-4-5-plus-10-3-8-1st-blog-post/2018-03-06T00:00:00+00:002018-03-06T00:00:00+00:00James Ritchey<p>Today we are releasing versions 10.5.3, 10.4.5, and 10.3.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>This security release blog post is the first part of two. The second blog will be posted in approximately 30 days, and it will detail the vulnerability findings.</p>
<p>Please read on for more details regarding this release.</p>
<h2 id="2fa-weakness">2FA weakness</h2>
<p>The two factor authentication feature contained a security weakness
potentially resulting in abuse of recovery codes.</p>
<h3 id="versions-affected">Versions affected</h3>
<ul>
<li>GitLab CE and EE 7.4.0 and up</li>
</ul>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above be upgraded to the latest version as soon as possible.</p>
<h2 id="geo-failover-weak-file-permissions">Geo: failover weak file permissions</h2>
<p>A weak file permissions issue affecting the GitLab Geo feature was discovered which could potentially result in low-privileged users triggering a failover.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<ul>
<li>GitLab EE 8.7.0 and up</li>
</ul>
<h3 id="remediation-1">Remediation</h3>
<p>For existing installations, you will need to edit the PostgreSQL <code>recovery.conf</code> file (in Omnibus GitLab it's located at <code>/var/opt/gitlab/postgresql/data/recovery.conf</code>) for all Geo secondary nodes:</p>
<div class="highlight"><pre class="highlight ruby"><code><span class="n">trigger_file</span> <span class="o">=</span> <span class="s1">'/tmp/postgresql.trigger'</span> <span class="c1"># <- remove this line</span>
</code></pre></div>
<p>We strongly recommend that all installations running an affected version above be upgraded to the latest version as soon as possible.</p>
<h2 id="open-redirect-gitlab-pages">Open redirect GitLab Pages</h2>
<p>An open redirect issue was discovered on GitLab Pages which could result in assisting phishing campaigns to have a more trustworthy appearance.</p>
<p>Thanks to <a href="https://hackerone.com/pankajj736">pankajj736</a> on HackerOne for reporting this issue.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<ul>
<li>GitLab CE and EE 10.3 and up</li>
</ul>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above be upgraded to the latest version as soon as possible.</p>
<h2 id="improper-authorization-group-lock">Improper authorization group lock</h2>
<p>The group lock feature contained an improper authorization issue which could result in accidental sharing of a project.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 9.5 and up</li>
</ul>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above be upgraded to the latest version as soon as possible.</p>
<h2 id="push-rules-denial-of-service">Push rules denial of service</h2>
<p>A lack of input validation issue was discovered in the push rules feature which could result in a denial of service of the platform.</p>
<h3 id="versions-affected-4">Versions affected</h3>
<ul>
<li>GitLab EE 9.1 and up</li>
</ul>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-barometer">Upgrade barometer</h2>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="http://doc.gitlab.com/omnibus/update/README.html"><code>/etc/gitlab/skip-auto-migrations</code> file</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h3 id="cve-ids">CVE IDs</h3>
<p>We are working on obtaining CVE numbers for these vulnerabilities and will update the blog post accordingly when we've obtained that information.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Pages Security Fix Notificationhttps://about.gitlab.com/releases/2018/02/21/pages-security-fix-rollout/2018-02-21T00:00:00+00:002018-02-21T00:00:00+00:00James Ritchey<p>On February 5, we disabled the ability to add custom domains in GitLab Pages due to security concerns. Today, we have re-enabled that ability after deploying a feature that requires GitLab.com users to verify ownership of the domains. Users can now once again configure domains and update TLS certificates.</p>
<p>To learn more about the original issue please view the <a href="/releases/2018/02/05/gitlab-pages-custom-domain-validation/">previous post</a>.</p>
<h1 id="user-impact">User impact</h1>
<p>Upon adding a custom domain to their Pages site, users are now <strong>required</strong> to verify domain ownership by adding a DNS TXT record containing a token generated by GitLab. This ensures the domain is controlled by that user when GitLab Pages checks for the existence of that TXT record containing the token. When updating DNS records, it may take time for it to fully propagate (sometimes up to 24-48 hours).</p>
<p>Once a custom domain has been added and verified, GitLab Pages will periodically need to re-verify these TXT records. This is handled automatically and is necessary for validating the user maintains ownership of that domain.</p>
<p>Current custom domain users will be <strong>required</strong> to verify ownership of their existing domain within a 30-day grace period.</p>
<p>Unverified custom domains cannot be claimed by a repository. If previously claimed and unable to be re-verified within 7 days, the custom domain will be relinquished.</p>
<h1 id="timeline-of-issues-and-mitigation">Timeline of issues and mitigation</h1>
<ul>
<li>
<p>2017-12-11 - HackerOne Researcher bnchandrapal discloses <a href="https://hackerone.com/reports/296907">first report</a>, we decide not to fix anything at this time.</p>
</li>
<li>
<p>2018-02-01 - GitLab and HackerOne Researcher bnchandrapal agree to publicly disclose the <a href="https://hackerone.com/reports/296907">first report</a>.</p>
</li>
<li>
<p>2018-02-04 - HackerOne Researcher <a href="https://hackerone.com/edoverflow">edoverflow</a> submits <a href="https://hackerone.com/reports/312118">second report</a>.</p>
</li>
<li>
<p>2018-02-05 - GitLab posts <a href="/releases/2018/02/05/gitlab-pages-custom-domain-validation/">blog post</a> to inform customers of the <a href="https://hackerone.com/reports/296907">security issue and current plan</a>.</p>
</li>
<li>
<p>2018-02-08 - GitLab awards HackerOne researcher <a href="https://hackerone.com/edoverflow">edoverflow</a> a high severity bounty for the <a href="https://hackerone.com/reports/312118">second report</a>.</p>
</li>
<li>
<p>2018-02-12 - <a href="https://news.ycombinator.com/item?id=16358544">HackerNews reports</a> on the GitLab blog post.</p>
</li>
<li>
<p>2018-02-12 - GitLab awards HackerOne researcher bnchandrapal a high severity bounty for the <a href="https://hackerone.com/reports/296907">first report</a>.</p>
</li>
<li>
<p>2018-02-20 - Per blog post, GitLab planned to roll out the domain ownership verification mechanism to mitigate the <a href="https://hackerone.com/reports/296907">first report</a>; however, the fix requires additional testing/verification.</p>
</li>
<li>
<p>2018-02-21 - GitLab makes <a href="https://hackerone.com/reports/312118">second report</a> by researcher <a href="https://hackerone.com/edoverflow">edoverflow</a> public.</p>
</li>
<li>
<p>2018-02-21 - GitLab begins phased rollout of domain ownership verification mechanism.</p>
</li>
<li>
<p>2018-03-01 - Estimated date of completion for the domain ownership verification mechanism rollout.</p>
</li>
</ul>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 10.4.3, 10.3.7, and 10.2.8https://about.gitlab.com/releases/2018/02/07/gitlab-security-10-4-3-plus-10-3-7-plus-10-2-8-blog/2018-02-07T00:00:00+00:002018-02-07T00:00:00+00:00James Ritchey<p>Today we are releasing versions 10.4.3, 10.3.7, and 10.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p>
<p>This security release blog post is the first part of two. The second blog will be posted in approximately 30 days, and it will detail the vulnerability findings.</p>
<p>Please read on for more details regarding this release.</p>
<h2 id="snippetfinder-information-disclosure">SnippetFinder information disclosure</h2>
<p>The GitLab SnippetFinder component contained an information disclosure which allowed access to snippets restricted to <code>Only team members</code> or configured as <code>disabled</code>. The issue is now resolved in the latest version.</p>
<h3 id="versions-affected">Versions affected</h3>
<ul>
<li>GitLab CE and EE 7.4.0 and up</li>
</ul>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="ldap-api-authorization-issue">LDAP API authorization issue</h2>
<p>An LDAP API endpoint contained an authorization vulnerability which unintentionally disclosed bulk LDAP groups data. This issue is now fixed in the latest release.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">Jobert Abma</a> of <a href="https://hackerone.com/jobert">HackerOne</a> for responsibly disclosing this issue to us.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<ul>
<li>GitLab CE and EE 6.1.0 and up</li>
</ul>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="persistent-xss-mermaid-markdown">Persistent XSS mermaid markdown</h2>
<p>The mermaid markdown feature contained a persistent XSS issue that is now resolved in the latest release.</p>
<p>Thanks to <a href="https://twitter.com/totally_unknown">Nils Juenemann</a> for responsibly disclosing this issue to us.</p>
<h3 id="versions-affected-2">Versions affected</h3>
<ul>
<li>GitLab CE and EE 10.3 and up</li>
</ul>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="insecure-direct-object-reference-todo-api">Insecure direct object reference Todo API</h2>
<p>The Todo API was vulnerable to an insecure direct object reference issue which resulted in an information disclosure of confidential data.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">Jobert Abma</a> of <a href="https://hackerone.com/jobert">HackerOne</a> for responsibly disclosing this issue to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 9.5 and up</li>
</ul>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="github-import-access-control-issue">GitHub import access control issue</h2>
<p>An improper access control weakness issue was discovered in the GitHub import feature. The issue allowed an attacker to create projects under other accounts which they shouldn't have access to. The issue is now resolved in the latest version.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">Jobert Abma</a> of <a href="https://hackerone.com/jobert">HackerOne</a> for responsibly disclosing this issue to us.</p>
<h3 id="versions-affected-4">Versions affected</h3>
<ul>
<li>GitLab CE and EE 9.1 and up</li>
</ul>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="protected-variables-information-disclosure">Protected variables information disclosure</h2>
<p>The CI jobs protected tag feature contained a vulnerability which resulted in an information disclosure of protected variables. The issue is now resolved in the latest release.</p>
<p>Thanks to Wes Cossick of <a href="https://www.sparksuite.com/">Sparksuite</a> for responsibly disclosing this issue to us.</p>
<h3 id="versions-affected-5">Versions affected</h3>
<ul>
<li>GitLab CE and EE 9.1 and up</li>
</ul>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-barometer">Upgrade barometer</h2>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="http://doc.gitlab.com/omnibus/update/README.html"><code>/etc/gitlab/skip-auto-migrations</code> file</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h3 id="cve-ids">CVE IDs</h3>
<p>We are working on obtaining CVE numbers for these vulnerabilities and will update the blog post accordingly when we've obtained that information.</p>
<h2 id="enterprise-edition">Enterprise Edition</h2>
<p>Interested in GitLab Enterprise Edition? Check out the <a href="/pricing/feature-comparison/">features exclusive to
EE</a>.</p>
<p>Access to GitLab Enterprise Edition is included with a
<a href="/pricing/">subscription</a>. No time to upgrade GitLab
yourself? Subscribers receive upgrade and installation services.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Pages Security Issue Notificationhttps://about.gitlab.com/releases/2018/02/05/gitlab-pages-custom-domain-validation/2018-02-05T00:00:00+00:002018-02-05T00:00:00+00:00James Ritchey<h2 id="issue-summary">Issue Summary</h2>
<p>When a user adds a <a href="https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/index.html#adding-your-custom-domain-to-gitlab-pages">custom domain</a> to their Pages site, no validation was being performed to ensure the domain was owned by that user. This issue allows an attacker to discover DNS records already pointing to the GitLab Page IP address which haven't been claimed and potentially hijack them. This issue impacts all users who have created and then deleted custom domains using GitLab Pages, but still have the DNS records active.</p>
<h2 id="customer-remediation-steps">Customer Remediation Steps</h2>
<p>Our customers should check if they are using the GitLab Pages service with a custom domain and review their DNS records which point to the GitLab Pages IP <code>52.167.214.135</code>.</p>
<p>If you notice any of your DNS records pointing to that IP address and you're no longer using or intending to use the Gitlab Pages service, please remove those specific DNS records.</p>
<p>If you are intending to use the GitLab Pages service and notice that your custom domain has already been claimed or "hijacked", please contact us at security@gitlab.com.</p>
<h2 id="gitlab-remediation-strategy">GitLab Remediation Strategy</h2>
<p>We've currently disabled the feature to add custom domains until we've deployed the patch. In the meantime, the GitLab team is working to provide a more complete <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/29497">validation</a> of custom domains in the GitLab Pages service as soon as possible.</p>
<p>Our mitigation strategy will consist of implementing domain verification mechanisms on all new and existing GitLab Pages domains, utilizing checks on customer DNS TXT records. This mechanism will be detailed in GitLab Pages documentation when implemented.</p>
<p>There will be a transition plan for current customers once the domain verification mechanisms are active. Stay tuned for further details.</p>
<h4 id="update-2018-02-07-1000pm-utc">Update (2018-02-07 10:00PM UTC)</h4>
<p>The <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/29497">issue</a> referenced above is currently confidential and will be made public after the fix is implemented in 10.5.</p>
<h4 id="update-2018-02-14-700pm-utc">Update (2018-02-14 7:00PM UTC)</h4>
<p>The domain verification mechanism will be deployed by the 20th of February in the 10.4 security release. The feature to add custom domains will be re-enabled, and once again users will be able to configure domains and update TLS certificates.</p>
<h4 id="update-2018-02-21-1200am-utc">Update (2018-02-21 12:00AM UTC)</h4>
<p>The domain verification mechanism rollout will be phased, starting with GitLab.com, beginning on 2/21. We expect that rollout will be completed end of week 2/26, based on current projections.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6https://about.gitlab.com/releases/2018/01/16/gitlab-10-dot-3-dot-4-released/2018-01-16T00:00:00+00:002018-01-16T00:00:00+00:00James Ritchey<p>Today we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain a number of important security fixes, including two
that prevent remote code execution, and we strongly recommend that all GitLab
installations be upgraded to one of these versions immediately.</p>
<p>This security release blog post is the first part of two. The second blog will
be posted in approximately 30 days, and it will detail the vulnerability
findings.</p>
<p>Please read on for more details regarding this release.</p>
<h2 id="remote-code-execution-vulnerability-in-gitlab-projects-import">Remote Code Execution Vulnerability in GitLab Projects Import</h2>
<p>The GitLab projects import component contained a vulnerability which allowed
an attacker to write files to arbitrary directories on the server and that
could result in remote code execution. The vulnerability has now been
mitigated and is assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0915">CVE-2017-0915</a> and <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3710">CVE-2018-3710</a>.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">Jobert Abma</a> of <a href="https://hackerone.com/jobert">HackerOne</a> and <a href="https://twitter.com/b0bby_tables">Brian Neel</a>
for responsibly disclosing these issues to us.</p>
<h3 id="versions-affected">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 8.9.0 - 9.5.10</li>
<li>GitLab CE and EE 10.0.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h4 id="additional-workarounds">Additional Workarounds</h4>
<ol>
<li>Go to <code>/admin/application_settings</code> of your GitLab instance.</li>
<li>Under "Import sources", uncheck the "GitLab export" checkbox.</li>
<li>Click <code>Save</code>.</li>
</ol>
<h2 id="gitlab-ci-runner-can-read-and-poison-cache-of-all-other-projects">GitLab CI Runner Can Read and Poison Cache of All Other Projects</h2>
<p>A path traversal vulnerability was found in the CI runner, which allowed a
malicious user to read and poison other project caches. The issue is now
remediated and has been assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0918">CVE-2017-0918</a>.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">Jobert Abma</a> of <a href="https://hackerone.com/jobert">HackerOne</a> for responsibly disclosing this issue to us.</p>
<h3 id="versions-affected-1">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 8.4.0 - 9.5.10</li>
<li>GitLab CE and EE 10.0.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-1">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="jupyter-notebook-xss">Jupyter Notebook XSS</h2>
<p>Projects that have Jupyter Notebooks could execute external JavaScript. This XSS
vulnerability was caused by unsanitized output in Jupyter Notebooks. The output
is now correctly sanitized before being rendered. This issue has been assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0923">CVE-2017-0923</a>.</p>
<h3 id="versions-affected-2">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 9.1.0 - 9.5.10</li>
<li>GitLab CE and EE 10.0.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-2">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="sensitive-fields-exposed-to-admins--masters-in-the-services-api">Sensitive Fields Exposed to Admins / Masters in the Services API</h2>
<p>The <a href="https://docs.gitlab.com/ee/api/services.html">Services API</a> responses
were exposing sensitive fields to the Admins and Masters of the service's
project. We now filter out those sensitive fields from the Services API
responses. This issue has been assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0925">CVE-2017-0925</a>.</p>
<p>Thanks to <a href="https://gitlab.com/WarX">Artur Jan Fijałkowski</a> for responsibly
disclosing this issue to us.</p>
<h3 id="versions-affected-3">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 8.0.0 - 9.5.10</li>
<li>GitLab CE and EE 10.0.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-3">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="login-with-disabled-oauth-provider-via-post">Login with Disabled OAuth Provider via POST</h2>
<p>OAauth providers are configured per instance and can be disabled from the Admin settings page under "Sign-in Restrictions".</p>
<p>It was possible to login with a disabled OAuth provider when bypassing the form with a malicious request.
A check has been added to prevent this. This issue has been assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0926">CVE-2017-0926</a>.</p>
<p>Thanks to <a href="https://gitlab.com/stevenorman">Steve Norman</a> for responsibly
disclosing this issue to us.</p>
<h3 id="versions-affected-4">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 8.8.0 - 9.5.10</li>
<li>GitLab CE and EE 10.0.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-4">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="xss-in-label-dropdown">XSS in Label Dropdown</h2>
<p>A persistent XSS vulnerability was discovered in the issue/merge request sidebar label dropdown. Label names inside the sidebar label dropdown are now escaped. This issue has been assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0924">CVE-2017-0924</a>.</p>
<p>Thanks to <a href="https://hackerone.com/c05m0ch405">c05m0ch405</a> for responsibly disclosing this issue to us through HackerOne.</p>
<h3 id="versions-affected-5">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 9.0.0 - 9.5.10</li>
<li>GitLab CE and EE 10.0.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-5">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="critical-sql-injection-in-milestonefinder">Critical SQL Injection in MilestoneFinder</h2>
<p>A SQL injection vulnerability was discovered in the MilestoneFinder component. The affected SQL query has now been mitigated. This issue has been assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0914">CVE-2017-0914</a>.</p>
<h3 id="versions-affected-6">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 9.4.0 - 9.5.10</li>
<li>GitLab CE and EE 10.0.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-6">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="critical-vulnerability-with-command-injection-via-webhooks">Critical Vulnerability with Command Injection via Webhooks</h2>
<p>A new line injection vulnerability was discovered in the Webhook component that allowed an attacker to inject non-HTTP commands in a TCP stream. The issue has now been mitigated and assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0916">CVE-2017-0916</a>.</p>
<h3 id="versions-affected-7">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 8.8.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-7">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="cross-site-scripting-xss-vulnerability-in-ci-job-output">Cross-site scripting (XSS) vulnerability in CI job output</h2>
<p>A persistent XSS vulnerability was discovered in the CI job component, and the issue has now been resolved by performing stricter input validation. This issue has been assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0917">CVE-2017-0917</a>.</p>
<p>Thanks to <a href="https://twitter.com/jobertabma">Jobert Abma</a> of <a href="https://hackerone.com/jobert">HackerOne</a> for
responsibly disclosing this issue to us.</p>
<h3 id="versions-affected-8">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 10.1.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-8">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="guest-users-can-give-deploy-keys-in-other-projects-write-access">Guest Users Can Give Deploy Keys in Other Projects Write Access</h2>
<p>An improper authorization vulnerability was discovered in the deployment keys component which resulted in unauthorized use of deployment keys by guest users. The issue has now been resolved and is assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0927">CVE-2017-0927</a>.
This change altered the <code>/deploy_keys</code> API endpoint, which no longer returns <code>can_push</code> attribute. See <a href="https://gitlab.com/gitlab-org/gitlab-ee/blob/v10.3.4-ee/doc/api/deploy_keys.md">our updated documentation</a>.</p>
<h3 id="versions-affected-9">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 8.16.0 - 9.5.10</li>
<li>GitLab CE and EE 10.0.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-9">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="milestone-authorization-issue-on-boards">Milestone Authorization Issue on Boards</h2>
<p>An authorization bypass vulnerability was discovered in the Boards component which resulted in an information disclosure. The issue has now been resolved and is assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0922">CVE-2017-0922</a>.</p>
<h3 id="versions-affected-10">Versions Affected</h3>
<ul>
<li>GitLab EE 9.1.0 - 9.5.10</li>
<li>GitLab EE 10.0.0 - 10.1.5</li>
<li>GitLab EE 10.2.0 - 10.2.5</li>
<li>GitLab EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-10">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="authorization-issue-when-creating-merge-requests">Authorization Issue When Creating Merge Requests</h2>
<p>A vulnerability regarding authorization to create merge requests allowed users to see names of private projects, which also extended to already forked projects. The issue is now mitigated and is assigned to <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0920">CVE-2017-0920</a>.</p>
<h3 id="versions-affected-11">Versions Affected</h3>
<ul>
<li>GitLab CE and EE 8.8.0 - 10.1.5</li>
<li>GitLab CE and EE 10.2.0 - 10.2.5</li>
<li>GitLab CE and EE 10.3.0 - 10.3.3</li>
</ul>
<h3 id="remediation-11">Remediation</h3>
<p>We <strong>strongly recommend</strong> that all installations running an affected version above to be upgraded to the latest version as soon as possible.</p>
<h2 id="upgrade-barometer">Upgrade Barometer</h2>
<p>These versions include a migration to add a column to <code>deploy_keys</code> table and
a post-deploy migration to populate it. No downtime is required.</p>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="http://doc.gitlab.com/omnibus/update/README.html"><code>/etc/gitlab/skip-auto-migrations</code> file</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h2 id="enterprise-edition">Enterprise Edition</h2>
<p>Interested in GitLab Enterprise Edition? Check out the <a href="/pricing/feature-comparison/">features exclusive to
EE</a>.</p>
<p>Access to GitLab Enterprise Edition is included with a
<a href="/pricing/">subscription</a>. No time to upgrade GitLab
yourself? Subscribers receive upgrade and installation services.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />Announcing January 16, 2018 Critical Security Updatehttps://about.gitlab.com/releases/2018/01/12/gitlab-critical-release-preannouncement/2018-01-12T00:00:00+00:002018-01-12T00:00:00+00:00Stan Hu<p>On Tuesday, January 16th, 2018 at 23:59 UTC, we will publish a critical GitLab
security update. More details will be forthcoming on <a href="/blog/">our blog</a>, including which
versions of GitLab are affected.</p>
<p>We recommend installations running affected versions to upgrade
immediately. Please forward this alert to the appropriate people at your
organization and have them subscribe to <a href="/company/contact/#security-notices">Security Notices</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab 9.4.4, 9.3.10, 9.2.10, 9.1.10, 9.0.13, and 8.17.8 Critical Security Releasehttps://about.gitlab.com/releases/2017/08/10/gitlab-9-dot-4-dot-4-released/2017-08-10T18:00:00+00:002017-08-10T18:00:00+00:00GitLab<p>Today we are releasing versions 9.4.4, 9.3.10, 9.2.10, 9.1.10, 9.0.13, and 8.17.8
for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain two critical security fixes. The first is a security fix
for a vulnerability in <code>git</code> that can be exploited in GitLab to execute arbitrary
shell commands. The second security fix addresses the usage of symlinks inside
GitLab Export files that could be used to copy the contents of arbitrary
repositories.</p>
<p>We <strong>strongly recommend</strong> that all affected GitLab installations
be upgraded to one of these versions <strong>immediately</strong>.</p>
<p><em>Note: This is a coordinated release with several other companies and projects,
including <code>git</code> itself, which is why it is occurring at 18:00 UTC. As those
projects release their updates this release post will be updated with more
information.</em></p>
<h2 id="other-announcements">Other Announcements</h2>
<ul>
<li>Git: <a href="https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html">CVE-2017-1000117</a></li>
<li>Apache Subversion: <a href="https://subversion.apache.org/security/CVE-2017-9800-advisory.txt">CVE-2017-9800</a></li>
<li>Mercurial: <a href="https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29">CVE-2017-1000116</a></li>
<li>Recurity Labs: <a href="http://blog.recurity-labs.com/2017-08-10/scm-vulns">SCM Vulnerabilities</a></li>
</ul>
<p>Please read on for more details.</p>
<h2 id="remote-command-execution-in-git-client-cve-2017-12426">Remote Command Execution in <code>git</code> client (CVE-2017-12426)</h2>
<p>An external code review performed by Recurity Labs identified a remote command
execution vulnerability in <code>git</code> that could be exploited via the "Repo by URL"
import option in GitLab. The command line <code>git</code> client was not properly escaping
command line arguments in URLs using the SSH protocol before invoking the SSH client. A
specially crafted URL could be used to execute arbitrary shell commands on the
GitLab server.</p>
<p>To fully patch this vulnerability two fixes were needed. The Omnibus versions
of GitLab contain a patched <code>git</code> client. For source users who may still be
running an older version of <code>git</code>, GitLab now also blocks import URLs containing
invalid host and usernames. <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/35212">35212</a></p>
<p>This issue has been assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12426">CVE-2017-12426</a>.</p>
<p>Thanks to <a href="http://twitter.com/joernchen">Joern Schneeweisz</a> and <a href="http://www.recurity-labs.com/">Recurity Labs</a> for discovering this vulnerability, providing
immediate notification, and helping us coordinate a release across several projects.</p>
<h3 id="versions-affected">Versions affected</h3>
<ul>
<li>7.9.0 through 8.17.7</li>
<li>9.0.0 through 9.0.12</li>
<li>9.1.0 through 9.1.9</li>
<li>9.2.0 through 9.2.9</li>
<li>9.3.0 through 9.3.9</li>
<li>9.4.0 through 9.4.3</li>
</ul>
<p>We <strong>strongly recommend</strong> that all installations running a version mentioned
above be upgraded as soon as possible.</p>
<h3 id="workarounds">Workarounds</h3>
<p>If you're unable to upgrade right away, you can secure your GitLab installation
against this vulnerability using the workaround outlined below until you
have time to upgrade.</p>
<p>Note: Disabling the "Repo by URL" import option does not fully mitigate this
vulnerability as existing projects will still be able to change their import URLs.</p>
<h3 id="removing-support-for-ssh-urls">Removing support for SSH URLs</h3>
<p>GitLab CE+EE instances that cannot be patched immediately can disable support
for SSH URLs in project imports and mirrors by editing the GitLab source code
and removing <code>ssh</code> from the list of valid protocols.</p>
<p>For source users edit: <code>/app/validators/addressable_url_validator.rb</code>.</p>
<p>For Omnibus users edit: <code>/opt/gitlab/embedded/service/gitlab-rails/app/validators/addressable_url_validator.rb</code>.</p>
<p>Change:</p>
<div class="highlight"><pre class="highlight plaintext"><code>DEFAULT_OPTIONS = { protocols: %w(http https ssh git) }.freeze
</code></pre></div>
<p>To:</p>
<div class="highlight"><pre class="highlight plaintext"><code>DEFAULT_OPTIONS = { protocols: %w(http https git) }.freeze
</code></pre></div><p>Then restart GitLab.</p>
<p>For Omnibus users: <code>gitlab-ctl restart</code>.</p>
<h3 id="verifying-the-workaround">Verifying the workaround</h3>
<ol>
<li>Choose to create a new project</li>
<li>Choose "Import by URL".</li>
<li>Specify a URL such as <code>ssh://gitlab.com/foo.git</code>.</li>
<li>Verify that GitLab returns an invalid URL error.</li>
</ol>
<p>Be certain that you do not revert this patch until you have installed an updated
version of <code>git</code>.</p>
<h2 id="improper-sanitization-of-gitlab-export-files-on-import">Improper sanitization of GitLab export files on import</h2>
<p>GitLab versions 8.13.3, 8.12.8, 8.11.10, 8.10.13, and 8.9.12 contained a patch
for a <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9086">critical directory traversal vulnerability</a> in the GitLab export feature
that could be exploited by including symlinks in the export file and then re-importing
it to a GitLab instance. This vulnerability was patched by checking for and removing
symlinks in these files on import.</p>
<p><a href="http://www.recurity-labs.com/">Recurity Labs</a> also determined that this fix did not properly remove symlinks for
hidden files. Though not as dangerous as the original vulnerability hidden file
symlinks could still be used to steal copies of <code>git</code> repositories belonging to
other users if the path to the <code>git</code> repository was known by the attacker. An
updated fix has been included in these releases that properly removes all symlinks. <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/36091">36091</a></p>
<p>This import option was not made available to non-admin users until GitLab 8.13.0.</p>
<h3 id="versions-affected-1">Versions affected</h3>
<ul>
<li>8.9.0 through 8.17.7</li>
<li>9.0.0 through 9.0.12</li>
<li>9.1.0 through 9.1.9</li>
<li>9.2.0 through 9.2.9</li>
<li>9.3.0 through 9.3.9</li>
<li>9.4.0 through 9.4.3</li>
</ul>
<p>We <strong>strongly recommend</strong> that all installations running a version mentioned
above be upgraded as soon as possible.</p>
<h3 id="workarounds-1">Workarounds</h3>
<p>GitLab instances that cannot be patched immediately can disable the "GitLab export"
option for project imports in their admin settings.</p>
<h3 id="verifying-the-workaround-1">Verifying the workaround</h3>
<ol>
<li>Choose to create a new project</li>
<li>Verify that the "GitLab export" option is not available.</li>
</ol>
<h2 id="upgrade-barometer">Upgrade barometer</h2>
<p>These versions do not include any migrations and will not require downtime.</p>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="http://doc.gitlab.com/omnibus/update/README.html"><code>/etc/gitlab/skip-auto-migrations</code>
file</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h2 id="enterprise-edition">Enterprise Edition</h2>
<p>Interested in GitLab Enterprise Edition? Check out the <a href="/pricing/feature-comparison/">features exclusive to
EE</a>.</p>
<p>Access to GitLab Enterprise Edition is included with a
<a href="/pricing/">subscription</a>. No time to upgrade GitLab
yourself? Subscribers receive upgrade and installation services.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />Announcing August 10, 2017 Critical Security Updatehttps://about.gitlab.com/releases/2017/08/04/gitlab-critical-release-preannouncement/2017-08-04T00:00:00+00:002017-08-04T00:00:00+00:00Brian Neel<p>On Thursday, August 10th, 2017 at 18:00 UTC, we will publish a critical GitLab
security update. More details will be forthcoming on <a href="/blog/">our blog</a>, including
which versions of GitLab are affected.</p>
<p>We recommend installations running affected versions to upgrade as soon as the
new releases are available. Please forward this alert to the appropriate people
at your organization and have them subscribe to <a href="/company/contact/#security-notices">Security Notices</a>.</p>
<p>Please note the 18:00 UTC release time. This is different from the 23:59 UTC
release time used for previous critical security releases. This change will be
explained in the release blog post.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />9.3.7 Patch Release Update - Security Addendumhttps://about.gitlab.com/releases/2017/08/03/recent-bug-could-enable-signups/2017-08-03T00:00:00+00:002017-08-03T00:00:00+00:00Brian Neel<p>GitLab 9.3.7 fixed a security problem that was not listed in the <a href="/releases/2017/07/18/gitlab-9-dot-3-dot-7-released/">patch release update</a>. We recommend users on GitLab 9.3.0 to 9.3.6 to upgrade to 9.3.9 or newer.</p>
<p>This bug was introduced in GitLab 9.3.0 and can be triggered when an instance loses connectivity to the Redis cluster. In this situation the server may create a new application settings entry in the database using the GitLab defaults. In a worst-case scenario an instance with sign-ups initially disabled may have that setting enabled, allowing users to register.</p>
<p>A fix for this bug was included with GitLab CE+EE versions 9.3.7 and 9.4.0. The fix <em>does not</em> restore any settings that have been reset to defaults. All users running GitLab instances versions 9.3.0 or newer should verify that their application settings are still correct. Users running instances with sign-ups disabled should verify that no unauthorized accounts have been created.</p>
<p>Users running GitLab CE+EE versions prior to 9.3.0 and users of GitLab.com are not affected.</p>
<p>More details can be found in <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/34728">the issue</a>.</p>
<p>Thanks to <a href="https://twitter.com/ramonsmit94">Ramon Smit</a> of <a href="https://twitter.com/DALTCORE">DALTCORE</a> for reporting the full impact of this vulnerability to us.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />Announcing July 19, 2017 Critical Security Updatehttps://about.gitlab.com/releases/2017/07/14/gitlab-critical-release-preannouncement/2017-07-14T00:00:00+00:002017-07-14T00:00:00+00:00Brian Neel<p>On Wednesday, July 19th, 2017 at 23:59 UTC, we will publish a critical GitLab
security update. More details will be forthcoming on <a href="/blog/">our blog</a>, including
which versions of GitLab are affected.</p>
<p>We recommend installations running affected versions to upgrade
immediately. Please forward this alert to the appropriate people at your
organization and have them subscribe to <a href="/company/contact/#security-notices">Security Notices</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />Announcing March 20, 2017 Critical Security Updatehttps://about.gitlab.com/releases/2017/03/17/gitlab-critical-release-preannouncement/2017-03-17T00:00:00+00:002017-03-17T00:00:00+00:00Brian Neel<p>On Monday, March 20th, 2017 at 23:59 UTC, we will publish a critical GitLab
security update. More details will be forthcoming on <a href="/blog/">our blog</a>, including
which versions of GitLab are affected.</p>
<p>We recommend installations running affected versions to upgrade
immediately. Please forward this alert to the appropriate people at your
organization and have them subscribe to <a href="/company/contact/#security-notices">Security Notices</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Major Security Update for CVE-2016-9469https://about.gitlab.com/releases/2016/11/30/gitlab-major-security-update-for-cve-2016-9469/2016-11-30T00:00:00+00:002016-11-30T00:00:00+00:00Brian Neel<p>On Monday, December 5th, 2016 at 3:59pm PST (23:59 UTC), we will publish a major
GitLab security update to address CVE-2016-9469, a denial-of-service and data
corruption vulnerability. More details will be forthcoming on <a href="/blog/">our blog</a>,
including which versions of GitLab are affected.</p>
<p>We recommend installations running affected versions to upgrade
immediately. Please forward this alert to the appropriate people at your
organization and have them subscribe to <a href="/company/contact/#security-notices">Security Notices</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab 8.13.3, 8.12.8, 8.11.10, and 8.10.13 Releasedhttps://about.gitlab.com/releases/2016/11/02/cve-2016-9086-patches/2016-11-02T23:50:00+00:002016-11-02T23:50:00+00:00GitLab<p>Today we are releasing versions 8.13.3, 8.12.8, 8.11.10, and 8.10.13 for GitLab
Community Edition (CE) and Enterprise Edition (EE).</p>
<p>These versions contain an important security fix for a critical directory
traversal vulnerability, and we <strong>strongly recommend</strong> that all GitLab
installations be upgraded to one of these versions <strong>immediately</strong>.</p>
<p>Please read on for more details.</p>
<h2 id="directory-traversal-via-importexport-feature-cve-2016-9086">Directory traversal via "import/export" feature: <code>CVE-2016-9086</code></h2>
<p><a href="https://twitter.com/jobertabma">Jobert Abma</a> from <a href="https://hackerone.com/jobert">HackerOne</a> disclosed a critical security flaw in the "import/export
project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to
export and then re-import their projects as tape archive files (tar). All
GitLab versions prior to 8.13.0 restricted this feature to administrators only.
Starting with version 8.13.0 this feature was made available to all users.</p>
<p>This feature did not properly check for symbolic links in user-provided archives
and therefore it was possible for an authenticated user to retrieve the contents
of any file accessible to the GitLab service account. This included sensitive
files such as those that contain secret tokens used by the GitLab service to
authenticate users. Please see <a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/23822">the issue</a> for more details.</p>
<p>This issue has been assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9086">CVE-2016-9086</a>.</p>
<h3 id="versions-affected">Versions affected</h3>
<ul>
<li>8.13.0 through 8.13.2</li>
<li>8.12.0 through 8.12.7</li>
<li>8.11.0 through 8.11.9</li>
<li>8.10.0 through 8.10.12</li>
<li>8.9.0 through 8.9.11</li>
</ul>
<p>We <strong>strongly recommend</strong> that all installations running a version mentioned
above be upgraded as soon as possible. Please note that no patch is being
provided for GitLab versions 8.9.x. Those running versions 8.9.0 through
8.9.11 who cannot upgrade to a newer version should use the workaround listed
below.</p>
<h3 id="workarounds">Workarounds</h3>
<p>If you're unable to upgrade right away, you can secure your GitLab installation
against this vulnerability using the workaround outlined below until you have
time to upgrade.</p>
<h4 id="disable-project-importexport-via-tape-archive">Disable Project Import/Export via Tape Archive</h4>
<p>Login using an administrator account to your GitLab installation and perform the
following:</p>
<ol>
<li>Choose "Admin Area"</li>
<li>Click "Settings"</li>
<li>Under "Import Sources" disable the "GitLab export" option.</li>
<li>Click Save</li>
</ol>
<h3 id="verifying-the-workaround">Verifying the workaround</h3>
<ol>
<li>In a Browser Window, login as any user</li>
<li>Click "Projects"</li>
<li>Click "New Project"</li>
<li>Enter a project name</li>
<li>Verify that "GitLab export" does not appear as an import option</li>
</ol>
<h2 id="upgrade-barometer">Upgrade barometer</h2>
<p>These versions do not include any new migrations, and should not require any
downtime.</p>
<p>Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a <a href="http://doc.gitlab.com/omnibus/update/README.html"><code>/etc/gitlab/skip-auto-migrations</code>
file</a>.</p>
<h2 id="updating">Updating</h2>
<p>To update, check out our <a href="/update/">update page</a>.</p>
<h2 id="enterprise-edition">Enterprise Edition</h2>
<p>Interested in GitLab Enterprise Edition? Check out the <a href="/pricing/feature-comparison/">features exclusive to
EE</a>.</p>
<p>Access to GitLab Enterprise Edition is included with a
<a href="/pricing/">subscription</a>. No time to upgrade GitLab
yourself? Subscribers receive upgrade and installation services.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Major Security Update for CVE-2016-9086https://about.gitlab.com/releases/2016/10/31/gitlab-major-security-update-for-cve-2016-9086/2016-10-31T00:00:00+00:002016-10-31T00:00:00+00:00Brian Neel<p>On Wednesday November 2, 2016 at 4:59pm PDT (23:59 GMT), we will publish a major
GitLab security update to address CVE-2016-9086. More details will be
forthcoming on [our blog], including which versions of GitLab are affected.</p>
<p>We recommend installations running affected versions to upgrade
immediately. Please forward this alert to the appropriate people at your
organization and have them subscribe to [Security Notices].</p>
<p>/
[Security Notices]: /company/contact/#security-notices</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />GitLab Major Security Update for CVE-2016-4340https://about.gitlab.com/releases/2016/04/28/gitlab-major-security-update-for-cve-2016-4340/2016-04-28T00:00:00+00:002016-04-28T00:00:00+00:00Stan Hu<p>On Monday May 2, 2016 at 4:59pm PDT (23:59 GMT), we will publish a major
GitLab security update to address CVE-2016-4340. More details will be
forthcoming on <a href="/blog/">our blog</a>, including which versions of GitLab are affected.</p>
<p>We recommend installations running affected versions to upgrade
immediately. Please forward this alert to the appropriate people at your
organization and have them subscribe to <a href="/company/contact/">Security Notices</a>.</p>
<img src='https://about.gitlab.com/images/default-blog-image.png' class='webfeedsFeaturedVisual' style='display: none;' />