Arch Linux Security Advisory ASA-202105-4
========================================
Severity: High
Date    : 2021-05-19
CVE-ID  : CVE-2021-22206 CVE-2021-22208 CVE-2021-22209 CVE-2021-22210
          CVE-2021-22211
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1888

Summary
======
The package gitlab before version 13.10.4-1 is vulnerable to multiple
issues including insufficient validation, access restriction bypass,
denial of service and information disclosure.

Resolution
=========
Upgrade to 13.10.4-1.

# pacman -Syu "gitlab>=13.10.4-1"

The problems have been fixed upstream in version 13.10.4.

Workaround
=========
None.

Description
==========
- CVE-2021-22206 (information disclosure)

An issue has been discovered in GitLab affecting all versions prior to
11.6. Pull mirror credentials were exposed and could allow other
maintainers to view the credentials in plain-text. The issue is fixed
in GitLab versions 13.11.2, 13.10.4 and 13.9.7.

- CVE-2021-22208 (access restriction bypass)

An issue has been discovered in GitLab affecting versions prior to
13.5. Improper permission check could allow the change of timestamp for
issue creation or update. The issue is fixed in GitLab versions
13.11.2, 13.10.4 and 13.9.7.

- CVE-2021-22209 (insufficient validation)

An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.8. GitLab was not properly validating authorisation
tokens which resulted in GraphQL mutation being executed. The issue is
fixed in GitLab versions 13.11.2, 13.10.4 and 13.9.7.

- CVE-2021-22210 (denial of service)

An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.2. When querying the repository branches through API,
GitLab was ignoring a query parameter and returning a considerable
amount of results. The issue is fixed in GitLab versions 13.11.2,
13.10.4 and 13.9.7.

- CVE-2021-22211 (access restriction bypass)

An issue has been discovered in GitLab CE/EE affecting all versions
starting from 13.7. GitLab Dependency Proxy, under certain
circumstances, can impersonate a user resulting in possibly incorrect
access handling. The issue is fixed in GitLab versions 13.11.2, 13.10.4
and 13.9.7.

Impact
=====
A remote attacker could obtain sensitive pull mirror credentials,
manipulate issue creation timestamps, execute GraphQL mutations, cause
denial of service by generating large API query responses, or
impersonate other users.

References
=========
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#pull-mirror-credentials-were-exposed
https://hackerone.com/users/sign_in
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#non-owners-can-set-system_note_timestamp-when-creating--updating-issues
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#read-api-scoped-tokens-can-execute-mutations
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#denial-of-service-when-querying-repository-branches-api
https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#deploytoken-will-impersonate-a-user-with-the-same-id-when-using-dependency-proxy
https://security.archlinux.org/CVE-2021-22206
https://security.archlinux.org/CVE-2021-22208
https://security.archlinux.org/CVE-2021-22209
https://security.archlinux.org/CVE-2021-22210
https://security.archlinux.org/CVE-2021-22211

ArchLinux: 202105-4: gitlab: multiple issues

May 20, 2021

Summary

- CVE-2021-22206 (information disclosure) An issue has been discovered in GitLab affecting all versions prior to 11.6. Pull mirror credentials were exposed and could allow other maintainers to view the credentials in plain-text. The issue is fixed in GitLab versions 13.11.2, 13.10.4 and 13.9.7.
- CVE-2021-22208 (access restriction bypass)
An issue has been discovered in GitLab affecting versions prior to 13.5. Improper permission check could allow the change of timestamp for issue creation or update. The issue is fixed in GitLab versions 13.11.2, 13.10.4 and 13.9.7.
- CVE-2021-22209 (insufficient validation)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed. The issue is fixed in GitLab versions 13.11.2, 13.10.4 and 13.9.7.
- CVE-2021-22210 (denial of service)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results. The issue is fixed in GitLab versions 13.11.2, 13.10.4 and 13.9.7.
- CVE-2021-22211 (access restriction bypass)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling. The issue is fixed in GitLab versions 13.11.2, 13.10.4 and 13.9.7.

Resolution

Upgrade to 13.10.4-1. # pacman -Syu "gitlab>=13.10.4-1"
The problems have been fixed upstream in version 13.10.4.

References

https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#pull-mirror-credentials-were-exposed https://hackerone.com/users/sign_in https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#non-owners-can-set-system_note_timestamp-when-creating--updating-issues https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#read-api-scoped-tokens-can-execute-mutations https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#denial-of-service-when-querying-repository-branches-api https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/#deploytoken-will-impersonate-a-user-with-the-same-id-when-using-dependency-proxy https://security.archlinux.org/CVE-2021-22206 https://security.archlinux.org/CVE-2021-22208 https://security.archlinux.org/CVE-2021-22209 https://security.archlinux.org/CVE-2021-22210 https://security.archlinux.org/CVE-2021-22211

Severity
CVE-2021-22211
Package : gitlab
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1888

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved