Arch Linux Security Advisory ASA-202106-21
==========================================

Severity: High
Date    : 2021-06-09
CVE-ID  : CVE-2021-22181 CVE-2021-22213 CVE-2021-22214 CVE-2021-22216
          CVE-2021-22217 CVE-2021-22218 CVE-2021-22219 CVE-2021-22220
          CVE-2021-22221
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2023

Summary
=======

The package gitlab before version 13.12.2-1 is vulnerable to multiple
issues including denial of service, information disclosure, access
restriction bypass, authentication bypass, cross-site scripting and
content spoofing.

Resolution
==========

Upgrade to 13.12.2-1.

# pacman -Syu "gitlab>=13.12.2-1"

The problems have been fixed upstream in version 13.12.2.

Workaround
==========

None.

Description
===========

- CVE-2021-22181 (denial of service)

A denial of service vulnerability in GitLab CE/EE affecting all
versions since 11.8 before 13.12.2 allows an attacker to create a
recursive pipeline relationship and exhaust resources.

- CVE-2021-22213 (information disclosure)

A cross-site leak vulnerability in the OAuth flow of all versions of
GitLab CE/EE since 7.10 before 13.12.2 allowed an attacker to leak an
OAuth access token by getting the victim to visit a malicious page with
Safari.

- CVE-2021-22214 (access restriction bypass)

When requests to the internal network for webhooks are enabled, a
server-side request forgery vulnerability in GitLab CE/EE affecting all
versions starting from 10.5 before 13.12.2 was possible to exploit for
an unauthenticated attacker even on a GitLab instance where
registration is limited.

- CVE-2021-22216 (denial of service)

A denial of service vulnerability in all versions of GitLab CE/EE
before 13.12.2 allows an attacker to cause uncontrolled resource
consumption with a very long issue or merge request description.

- CVE-2021-22217 (denial of service)

A denial of service vulnerability in all versions of GitLab CE/EE
before 13.12.2 allows an attacker to cause uncontrolled resource
consumption with a specially crafted issue or merge request.

- CVE-2021-22218 (content spoofing)

All versions of GitLab CE/EE starting with 12.8 before 13.12.2 were
affected by an issue in the handling of x509 certificates that could be
used to spoof author of signed commits.

- CVE-2021-22219 (information disclosure)

GitLab CE/EE since version 9.5 before 13.12.2 allows a high privilege
user to obtain sensitive information from log files because the
sensitive information was not correctly registered for log masking.

- CVE-2021-22220 (cross-site scripting)

An issue has been discovered in GitLab affecting all versions starting
with 13.10 before 13.12.2. GitLab was vulnerable to a stored cross-site
scripting (XSS) attack in the blob viewer of notebooks.

- CVE-2021-22221 (authentication bypass)

An issue has been discovered in GitLab affecting all versions starting
from 12.9.0 before 13.12.2. Insufficient expired password validation in
various operations allowed users to maintain limited access after their
password expired.

Impact
======

A remote attacker could disclose sensitive information, bypass
authentication, execute JavaScript code using cross-site scripting,
spoof content or crash the GitLab server.

References
==========

https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/
https://gitlab.com/gitlab-org/gitlab/-/issues/300308
https://hackerone.com/reports/1089277
https://gitlab.com/gitlab-org/gitlab/-/issues/322926
https://hackerone.com/reports/1110131
https://gitlab.com/gitlab-org/gitlab/-/issues/329890
https://gitlab.com/gitlab-org/gitlab/-/issues/300709
https://hackerone.com/reports/1090049
https://gitlab.com/gitlab-org/gitlab/-/issues/297665
https://hackerone.com/reports/1077019
https://gitlab.com/gitlab-org/gitlab/-/issues/296995
https://gitlab.com/gitlab-org/gitlab/-/issues/294128
https://hackerone.com/reports/1060114
https://gitlab.com/gitlab-org/gitlab/-/issues/292006
https://security.archlinux.org/CVE-2021-22181
https://security.archlinux.org/CVE-2021-22213
https://security.archlinux.org/CVE-2021-22214
https://security.archlinux.org/CVE-2021-22216
https://security.archlinux.org/CVE-2021-22217
https://security.archlinux.org/CVE-2021-22218
https://security.archlinux.org/CVE-2021-22219
https://security.archlinux.org/CVE-2021-22220
https://security.archlinux.org/CVE-2021-22221