Multiple Vulnerabilities in GitLab

Release Date: 17-01-2022 15:42:00

Multiple Vulnerabilities in GitLab

History:

17/01/2022 --- v1.0 -- Initial publication

Summary

On January 11th, GitLab released significant security updates to address multiple vulnerabilities, including an arbitrary file read issue rated as ‘critical’ and two high-impact vulnerabilities, among others. The update tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.

Gitlab strongly encourages users to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE), in order to safeguard their environments [1].

Technical Details

Critical Vulnerability

Arbitrary file read via group import feature (CVE ID has not been assigned yet).

An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group due to incorrect file handling [2].

High Severity Vulnerabilities

CVE-2021-39946

Stored Cross-Site Scripting (XSS) in Notes. Improper neutralisation of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis [2].

CVE-2022-0154

Lack of state parameter on GitHub import project OAuth. An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account [2].

Other Vulnerabilities

Additionally to the critical and high severity vulnerabilities mentioned above, Gitlab announced several others, most notably: