Arch Linux Security Advisory ASA-202107-18
=========================================
Severity: High
Date    : 2021-07-06
CVE-ID  : CVE-2021-22223 CVE-2021-22224 CVE-2021-22225 CVE-2021-22226
          CVE-2021-22227 CVE-2021-22228 CVE-2021-22229 CVE-2021-22230
          CVE-2021-22231 CVE-2021-22232 CVE-2021-31799
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2125

Summary
======
The package gitlab before version 14.0.3-1 is vulnerable to multiple
issues including cross-site request forgery, access restriction bypass,
arbitrary code execution, arbitrary command execution, cross-site
scripting, information disclosure, content spoofing and denial of
service.

Resolution
=========
Upgrade to 14.0.3-1.

# pacman -Syu "gitlab>=14.0.3-1"

The problems have been fixed upstream in version 14.0.3.

Workaround
=========
None.

Description
==========
- CVE-2021-22223 (cross-site scripting)

Client-Side code injection through a Feature Flag name in GitLab CE/EE
starting with 11.9 and before version 14.0.2 allows a specially crafted
feature flag name to PUT requests on behalf of other users via clicking
on a link.

- CVE-2021-22224 (cross-site request forgery)

A cross-site request forgery vulnerability in the GraphQL API in GitLab
since version 13.12 and before version 14.0.2 allowed an attacker to
call mutations as the victim.

- CVE-2021-22225 (cross-site scripting)

Insufficient input sanitization in markdown in GitLab version 13.11 and
up before version 14.0.2 allows an attacker to exploit a stored cross-site scripting vulnerability via specially-crafted markdown.

- CVE-2021-22226 (access restriction bypass)

Under certain conditions, some users were able to push to protected
branches that were restricted to deploy keys in GitLab CE/EE since
version 13.9 and before version 14.0.2.

- CVE-2021-22227 (cross-site scripting)

A reflected cross-site script vulnerability in GitLab before version
14.0.2 allowed an attacker to send a malicious link to a victim and
trigger actions on their behalf if they clicked it.

- CVE-2021-22228 (information disclosure)

An issue has been discovered in GitLab affecting all versions before
14.0.2. Improper access control allows unauthorised users to access
project details using Graphql.

- CVE-2021-22229 (information disclosure)

An issue has been discovered in GitLab CE/EE affecting all versions
starting with 12.8 and before 14.0.2. Under a special condition it was
possible to access data of an internal repository through a project
fork done by a project member.

- CVE-2021-22230 (arbitrary code execution)

Improper code rendering while rendering merge requests could be
exploited to submit malicious code. This vulnerability affects GitLab
CE/EE 9.3 and later up to 14.0.2.

- CVE-2021-22231 (denial of service)

A denial of service on the user's profile page is found starting with
GitLab CE/EE 8.0 and before 14.0.2 that allows an attacker to reject
access to their profile page by using a specially crafted username.

- CVE-2021-22232 (content spoofing)

HTML injection was possible via the full name field before version
14.0.2 in GitLab CE.

- CVE-2021-31799 (arbitrary command execution)

RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4
and 2.6.8 as well as GitLab before version 14.0.2, used to call
Kernel#open to open a local file. If a Ruby project has a file whose
name starts with "|" and ends with "tags", the command following the
pipe character is executed. A malicious Ruby project could exploit it
to run an arbitrary command execution against a user who attempts to
run the rdoc command.

Impact
=====
A remote attacker could execute arbitrary code, disclose sensitive
information, bypass access restrictions, or spoof content.

References
=========
https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/
https://gitlab.com/gitlab-org/gitlab/-/issues/293946
https://hackerone.com/users/sign_in
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22223.json
https://gitlab.com/gitlab-org/gitlab/-/issues/324397
https://hackerone.com/reports/1122408
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22224.json
https://gitlab.com/gitlab-org/gitlab/-/issues/331051
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22225.json
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22226.json
https://gitlab.com/gitlab-org/gitlab/-/issues/212887
https://hackerone.com/users/sign_in
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22227.json
https://gitlab.com/gitlab-org/gitlab/-/issues/332605
https://hackerone.com/reports/1192460
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22228.json
https://gitlab.com/gitlab-org/gitlab/-/issues/332609
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22229.json
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22230.json
https://gitlab.com/gitlab-org/gitlab/-/issues/26295
https://hackerone.com/reports/475098
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22231.json
https://gitlab.com/gitlab-org/gitlab/-/issues/300713
https://hackerone.com/users/sign_in
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22232.json
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7
https://github.com/ruby/ruby/commit/483f303d02e768b69e476e0b9be4ab2f26389522
https://github.com/ruby/ruby/commit/fe3c49c9baeeab58304ede915b7edd18ecf360fc
https://security.archlinux.org/CVE-2021-22223
https://security.archlinux.org/CVE-2021-22224
https://security.archlinux.org/CVE-2021-22225
https://security.archlinux.org/CVE-2021-22226
https://security.archlinux.org/CVE-2021-22227
https://security.archlinux.org/CVE-2021-22228
https://security.archlinux.org/CVE-2021-22229
https://security.archlinux.org/CVE-2021-22230
https://security.archlinux.org/CVE-2021-22231
https://security.archlinux.org/CVE-2021-22232
https://security.archlinux.org/CVE-2021-31799

ArchLinux: 202107-18: gitlab: multiple issues

July 9, 2021

Summary

- CVE-2021-22223 (cross-site scripting) Client-Side code injection through a Feature Flag name in GitLab CE/EE starting with 11.9 and before version 14.0.2 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link.
- CVE-2021-22224 (cross-site request forgery)
A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before version 14.0.2 allowed an attacker to call mutations as the victim.
- CVE-2021-22225 (cross-site scripting)
Insufficient input sanitization in markdown in GitLab version 13.11 and up before version 14.0.2 allows an attacker to exploit a stored cross-site scripting vulnerability via specially-crafted markdown.
- CVE-2021-22226 (access restriction bypass)
Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9 and before version 14.0.2.
- CVE-2021-22227 (cross-site scripting)
A reflected cross-site script vulnerability in GitLab before version 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it.
- CVE-2021-22228 (information disclosure)
An issue has been discovered in GitLab affecting all versions before 14.0.2. Improper access control allows unauthorised users to access project details using Graphql.
- CVE-2021-22229 (information disclosure)
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8 and before 14.0.2. Under a special condition it was possible to access data of an internal repository through a project fork done by a project member.
- CVE-2021-22230 (arbitrary code execution)
Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later up to 14.0.2.
- CVE-2021-22231 (denial of service)
A denial of service on the user's profile page is found starting with GitLab CE/EE 8.0 and before 14.0.2 that allows an attacker to reject access to their profile page by using a specially crafted username.
- CVE-2021-22232 (content spoofing)
HTML injection was possible via the full name field before version 14.0.2 in GitLab CE.
- CVE-2021-31799 (arbitrary command execution)
RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4 and 2.6.8 as well as GitLab before version 14.0.2, used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.

Resolution

Upgrade to 14.0.3-1. # pacman -Syu "gitlab>=14.0.3-1"
The problems have been fixed upstream in version 14.0.3.

References

https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/ https://gitlab.com/gitlab-org/gitlab/-/issues/293946 https://hackerone.com/users/sign_in https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22223.json https://gitlab.com/gitlab-org/gitlab/-/issues/324397 https://hackerone.com/reports/1122408 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22224.json https://gitlab.com/gitlab-org/gitlab/-/issues/331051 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22225.json https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22226.json https://gitlab.com/gitlab-org/gitlab/-/issues/212887 https://hackerone.com/users/sign_in https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22227.json https://gitlab.com/gitlab-org/gitlab/-/issues/332605 https://hackerone.com/reports/1192460 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22228.json https://gitlab.com/gitlab-org/gitlab/-/issues/332609 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22229.json https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22230.json https://gitlab.com/gitlab-org/gitlab/-/issues/26295 https://hackerone.com/reports/475098 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22231.json https://gitlab.com/gitlab-org/gitlab/-/issues/300713 https://hackerone.com/users/sign_in https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22232.json https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/ https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7 https://github.com/ruby/ruby/commit/483f303d02e768b69e476e0b9be4ab2f26389522 https://github.com/ruby/ruby/commit/fe3c49c9baeeab58304ede915b7edd18ecf360fc https://security.archlinux.org/CVE-2021-22223 https://security.archlinux.org/CVE-2021-22224 https://security.archlinux.org/CVE-2021-22225 https://security.archlinux.org/CVE-2021-22226 https://security.archlinux.org/CVE-2021-22227 https://security.archlinux.org/CVE-2021-22228 https://security.archlinux.org/CVE-2021-22229 https://security.archlinux.org/CVE-2021-22230 https://security.archlinux.org/CVE-2021-22231 https://security.archlinux.org/CVE-2021-22232 https://security.archlinux.org/CVE-2021-31799

Severity
CVE-2021-22227 CVE-2021-22228 CVE-2021-22229 CVE-2021-22230
CVE-2021-22231 CVE-2021-22232 CVE-2021-31799
Package : gitlab
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2125

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved