ArchLinux: 202105-4: gitlab: multiple issues
Summary
- CVE-2021-22206 (information disclosure)
An issue has been discovered in GitLab affecting all versions prior to
11.6. Pull mirror credentials were exposed and could allow other
maintainers to view the credentials in plain-text. The issue is fixed
in GitLab versions 13.11.2, 13.10.4 and 13.9.7.
- CVE-2021-22208 (access restriction bypass)
An issue has been discovered in GitLab affecting versions prior to
13.5. Improper permission check could allow the change of timestamp for
issue creation or update. The issue is fixed in GitLab versions
13.11.2, 13.10.4 and 13.9.7.
- CVE-2021-22209 (insufficient validation)
An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.8. GitLab was not properly validating authorisation
tokens which resulted in GraphQL mutation being executed. The issue is
fixed in GitLab versions 13.11.2, 13.10.4 and 13.9.7.
- CVE-2021-22210 (denial of service)
An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.2. When querying the repository branches through API,
GitLab was ignoring a query parameter and returning a considerable
amount of results. The issue is fixed in GitLab versions 13.11.2,
13.10.4 and 13.9.7.
- CVE-2021-22211 (access restriction bypass)
An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.7. GitLab Dependency Proxy, under certain
circumstances, can impersonate a user resulting in possibly incorrect
access handling. The issue is fixed in GitLab versions 13.11.2, 13.10.4
and 13.9.7.
Resolution
Upgrade to 13.10.4-1.
# pacman -Syu "gitlab>=13.10.4-1"
The problems have been fixed upstream in version 13.10.4.
References
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#pull-mirror-credentials-were-exposed https://hackerone.com/users/sign_in https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#non-owners-can-set-system_note_timestamp-when-creating--updating-issues https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#read-api-scoped-tokens-can-execute-mutations https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#denial-of-service-when-querying-repository-branches-api https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#deploytoken-will-impersonate-a-user-with-the-same-id-when-using-dependency-proxy https://security.archlinux.org/CVE-2021-22206 https://security.archlinux.org/CVE-2021-22208 https://security.archlinux.org/CVE-2021-22209 https://security.archlinux.org/CVE-2021-22210 https://security.archlinux.org/CVE-2021-22211
Workaround
None.