ArchLinux: 202112-10: gitlab: multiple issues

Advisories

Arch Linux Security Advisory ASA-202112-10
==========================================

Severity: High
Date    : 2021-12-11
CVE-ID  : CVE-2021-39910 CVE-2021-39915 CVE-2021-39917 CVE-2021-39919
          CVE-2021-39931 CVE-2021-39932 CVE-2021-39933 CVE-2021-39934
          CVE-2021-39935 CVE-2021-39936 CVE-2021-39937 CVE-2021-39938
          CVE-2021-39940 CVE-2021-39941 CVE-2021-39944 CVE-2021-39945
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2603

Summary
=======

The package gitlab before version 14.5.2-1 is vulnerable to multiple
issues including privilege escalation, access restriction bypass,
denial of service, information disclosure and content spoofing.

Resolution
==========

Upgrade to 14.5.2-1.

# pacman -Syu "gitlab>=14.5.2-1"

The problems have been fixed upstream in version 14.5.2.

Workaround
==========

None.

Description
===========

- CVE-2021-39910 (content spoofing)

An issue has been discovered in GitLab before version 14.5.2. GitLab
was vulnerable to HTML Injection through the Swagger UI feature.

- CVE-2021-39915 (information disclosure)

Improper access control in the GraphQL API in GitLab before version
14.5.2 allows an attacker to see the names of project access tokens on
arbitrary projects.

- CVE-2021-39917 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. A regular
expression related to quick actions features was susceptible to
catastrophic backtracking that could cause a denial of service attack.

- CVE-2021-39919 (information disclosure)

In all versions of GitLab before version 14.5.2, the reset password
token and new user email token are accidentally logged which may lead
to information disclosure.

- CVE-2021-39931 (access restriction bypass)

An issue has been discovered in GitLab before version 14.5.2. Under
specific condition an unauthorised project member was allowed to delete
a protected branches due to a business logic error.

- CVE-2021-39932 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. Using
large payloads, the diff feature could be used to trigger high load
time for users reviewing code changes.

- CVE-2021-39933 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. A regular
expression used for handling user input (notes, comments, etc) was
susceptible to catastrophic backtracking that could cause a denial of
service attack.

- CVE-2021-39934 (information disclosure)

Improper access control allows any project member to retrieve the
service desk email address in GitLab before version 14.5.2.

- CVE-2021-39935 (access restriction bypass)

An issue has been discovered in GitLab before version 14.5.2.
Unauthorized external users could perform Server Side Requests via the
CI Lint API.

- CVE-2021-39936 (access restriction bypass)

Improper access control in GitLab before version 14.5.2 allows an
attacker in possession of a deploy token to access a project's disabled
wiki.

- CVE-2021-39937 (privilege escalation)

A collision in access memoization logic in all versions of GitLab
before version 14.5.2 leads to potential elevated privileges in groups
and projects under rare circumstances.

- CVE-2021-39938 (denial of service)

A vulnerable regular expression pattern in GitLab before version 14.5.2
allows an attacker to cause uncontrolled resource consumption leading
to Denial of Service via specially crafted deploy Slash commands.

- CVE-2021-39940 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. GitLab
Maven Package registry is vulnerable to a regular expression denial of
service when a specifically crafted string is sent.

- CVE-2021-39941 (information disclosure)

An information disclosure vulnerability in GitLab before version 14.5.2
allowed non-project members to see the default branch name for projects
that restrict access to the repository to project members.

- CVE-2021-39944 (privilege escalation)

An issue has been discovered in GitLab before version 14.5.2. A
permissions validation flaw allowed group members with a developer role
to elevate their privilege to a maintainer on projects they import.

- CVE-2021-39945 (access restriction bypass)

Improper access control in the GitLab API affecting all versions before
version 14.5.2 allows an author of a Merge Request to approve the Merge
Request even after having their project access revoked.

Impact
======

A remote attacker could elevate their privileges, bypass access
restrictions, disclose sensitive information, spoof content or cause
high resource consumption leading to denial of service.

References
==========

https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/
https://security.archlinux.org/CVE-2021-39910
https://security.archlinux.org/CVE-2021-39915
https://security.archlinux.org/CVE-2021-39917
https://security.archlinux.org/CVE-2021-39919
https://security.archlinux.org/CVE-2021-39931
https://security.archlinux.org/CVE-2021-39932
https://security.archlinux.org/CVE-2021-39933
https://security.archlinux.org/CVE-2021-39934
https://security.archlinux.org/CVE-2021-39935
https://security.archlinux.org/CVE-2021-39936
https://security.archlinux.org/CVE-2021-39937
https://security.archlinux.org/CVE-2021-39938
https://security.archlinux.org/CVE-2021-39940
https://security.archlinux.org/CVE-2021-39941
https://security.archlinux.org/CVE-2021-39944
https://security.archlinux.org/CVE-2021-39945

ArchLinux: 202112-10: gitlab: multiple issues

December 12, 2021
The package gitlab before version 14.5.2-1 is vulnerable to multiple issues including privilege escalation, access restriction bypass, denial of service, information disclosure and...

Summary

- CVE-2021-39910 (content spoofing)
An issue has been discovered in GitLab before version 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.
- CVE-2021-39915 (information disclosure)
Improper access control in the GraphQL API in GitLab before version 14.5.2 allows an attacker to see the names of project access tokens on arbitrary projects.
- CVE-2021-39917 (denial of service)
An issue has been discovered in GitLab before version 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a denial of service attack.
- CVE-2021-39919 (information disclosure)
In all versions of GitLab before version 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
- CVE-2021-39931 (access restriction bypass)
An issue has been discovered in GitLab before version 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error.
- CVE-2021-39932 (denial of service)
An issue has been discovered in GitLab before version 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.
- CVE-2021-39933 (denial of service)
An issue has been discovered in GitLab before version 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a denial of service attack.
- CVE-2021-39934 (information disclosure)
Improper access control allows any project member to retrieve the service desk email address in GitLab before version 14.5.2.
- CVE-2021-39935 (access restriction bypass)
An issue has been discovered in GitLab before version 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API.
- CVE-2021-39936 (access restriction bypass)
Improper access control in GitLab before version 14.5.2 allows an attacker in possession of a deploy token to access a project's disabled wiki.
- CVE-2021-39937 (privilege escalation)
A collision in access memoization logic in all versions of GitLab before version 14.5.2 leads to potential elevated privileges in groups and projects under rare circumstances.
- CVE-2021-39938 (denial of service)
A vulnerable regular expression pattern in GitLab before version 14.5.2 allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands.
- CVE-2021-39940 (denial of service)
An issue has been discovered in GitLab before version 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent.
- CVE-2021-39941 (information disclosure)
An information disclosure vulnerability in GitLab before version 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members.
- CVE-2021-39944 (privilege escalation)
An issue has been discovered in GitLab before version 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import.
- CVE-2021-39945 (access restriction bypass)
Improper access control in the GitLab API affecting all versions before version 14.5.2 allows an author of a Merge Request to approve the Merge Request even after having their project access revoked.

Resolution

Upgrade to 14.5.2-1.
# pacman -Syu "gitlab>=14.5.2-1"
The problems have been fixed upstream in version 14.5.2.

References

https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ https://security.archlinux.org/CVE-2021-39910 https://security.archlinux.org/CVE-2021-39915 https://security.archlinux.org/CVE-2021-39917 https://security.archlinux.org/CVE-2021-39919 https://security.archlinux.org/CVE-2021-39931 https://security.archlinux.org/CVE-2021-39932 https://security.archlinux.org/CVE-2021-39933 https://security.archlinux.org/CVE-2021-39934 https://security.archlinux.org/CVE-2021-39935 https://security.archlinux.org/CVE-2021-39936 https://security.archlinux.org/CVE-2021-39937 https://security.archlinux.org/CVE-2021-39938 https://security.archlinux.org/CVE-2021-39940 https://security.archlinux.org/CVE-2021-39941 https://security.archlinux.org/CVE-2021-39944 https://security.archlinux.org/CVE-2021-39945

Severity
CVE-ID : CVE-2021-39910 CVE-2021-39915 CVE-2021-39917 CVE-2021-39919
CVE-2021-39931 CVE-2021-39932 CVE-2021-39933 CVE-2021-39934
CVE-2021-39935 CVE-2021-39936 CVE-2021-39937 CVE-2021-39938
CVE-2021-39940 CVE-2021-39941 CVE-2021-39944 CVE-2021-39945
Package : gitlab
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2603

Impact

A remote attacker could elevate their privileges, bypass access restrictions, disclose sensitive information, spoof content or cause high resource consumption leading to denial of service.

Workaround

None.

Related News

© 2022 Guardian Digital, Inc All Rights Reserved

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.