{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-004.pdf"
    },
    "title": "Multiple Vulnerabilities in GitLab",
    "serial_number": "2022-004",
    "publish_date": "17-01-2022 15:42:00",
    "description": "On January 11th, GitLab released significant security updates to address multiple vulnerabilities, including an arbitrary file read issue rated as \u2018critical\u2019 and two high-impact vulnerabilities, among others. The update tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.<br>Gitlab strongly encourages users to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE), in order to safeguard their environments.",
    "url_title": "2022-004",
    "content_markdown": "---\ntitle: 'Multiple Vulnerabilities in\u00a0GitLab'\nversion: '1.0'\nnumber: '2022-004'\ndate: 'January 17, 2022'\n---\n\n_History:_\n\n* _17/01/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn January 11th, GitLab released significant security updates to address multiple vulnerabilities, including an arbitrary file read issue rated as \u2018critical\u2019 and two high-impact vulnerabilities, among others. The update\u00a0tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.\n\nGitlab strongly encourages users to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE), in order to safeguard their environments [1].\n\n# Technical Details\n\n**Critical Vulnerability**\n\n- Arbitrary file read via group import feature (CVE ID has not been assigned yet).\n\nAn issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group due to incorrect file handling [2].\n\n**High Severity Vulnerabilities**\n\n- **CVE-2021-39946**\n\nStored Cross-Site Scripting (XSS) in Notes. Improper neutralisation of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis [2].\n\n- **CVE-2022-0154**\n\nLack of state parameter on GitHub import project OAuth. An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account [2].\n\n**Other Vulnerabilities**\n\nAdditionally to the critical and high severity vulnerabilities mentioned above, Gitlab announced several others, most notably:\n\n* CVE-2022-0152\n* CVE-2022-0151\n* CVE-2022-0172\n* CVE-2022-0090\n* CVE-2022-0125\n* CVE-2022-0124\n* CVE-2021-39942\n* CVE-2022-0093\n* CVE-2021-39927\n\n# Affected Products\n\n* GitLab Community Edition (CE) versions prior to 14.6.2, 14.5.3, and 14.4.5\n* GitLab Enterprise Edition (EE) versions prior to 14.6.2, 14.5.3, and 14.4.5\n\n# Recommendations\n\nCERT-EU recommends updating to the latest versions of GitLab Community Edition (CE) and Enterprise Edition (EE) **as soon as possible** [3, 4].\n\n# References\n\n[1] <https://portswigger.net/daily-swig/gitlab-shifts-left-to-patch-high-impact-vulnerabilities>\n\n[2] <https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/>\n\n[3] <https://about.gitlab.com/update/>\n\n[4] <https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>17/01/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 11th, GitLab released significant security updates to address multiple vulnerabilities, including an arbitrary file read issue rated as \u2018critical\u2019 and two high-impact vulnerabilities, among others. The update\u00a0tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.</p><p>Gitlab strongly encourages users to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE), in order to safeguard their environments [1].</p><h2 id=\"technical-details\">Technical Details</h2><p><strong>Critical Vulnerability</strong></p><ul><li>Arbitrary file read via group import feature (CVE ID has not been assigned yet).</li></ul><p>An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group due to incorrect file handling [2].</p><p><strong>High Severity Vulnerabilities</strong></p><ul><li><strong>CVE-2021-39946</strong></li></ul><p>Stored Cross-Site Scripting (XSS) in Notes. Improper neutralisation of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis [2].</p><ul><li><strong>CVE-2022-0154</strong></li></ul><p>Lack of state parameter on GitHub import project OAuth. An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account [2].</p><p><strong>Other Vulnerabilities</strong></p><p>Additionally to the critical and high severity vulnerabilities mentioned above, Gitlab announced several others, most notably:</p><ul><li>CVE-2022-0152</li><li>CVE-2022-0151</li><li>CVE-2022-0172</li><li>CVE-2022-0090</li><li>CVE-2022-0125</li><li>CVE-2022-0124</li><li>CVE-2021-39942</li><li>CVE-2022-0093</li><li>CVE-2021-39927</li></ul><h2 id=\"affected-products\">Affected Products</h2><ul><li>GitLab Community Edition (CE) versions prior to 14.6.2, 14.5.3, and 14.4.5</li><li>GitLab Enterprise Edition (EE) versions prior to 14.6.2, 14.5.3, and 14.4.5</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends updating to the latest versions of GitLab Community Edition (CE) and Enterprise Edition (EE) <strong>as soon as possible</strong> [3, 4].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://portswigger.net/daily-swig/gitlab-shifts-left-to-patch-high-impact-vulnerabilities\">https://portswigger.net/daily-swig/gitlab-shifts-left-to-patch-high-impact-vulnerabilities</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/\">https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/update/\">https://about.gitlab.com/update/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner\">https://docs.gitlab.com/runner/install/linux-repository.html#updating-the-runner</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}