Arch Linux Security Advisory ASA-201810-16 ========================================== Severity: Critical Date : 2018-10-31 CVE-ID : CVE-2018-18640 CVE-2018-18641 CVE-2018-18643 CVE-2018-18645 CVE-2018-18646 CVE-2018-18648 CVE-2018-18649 Package : gitlab Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-794 Summary ======= The package gitlab before version 11.4.3-1 is vulnerable to multiple issues including arbitrary code execution, cross-site request forgery, cross-site scripting and information disclosure. Resolution ========== Upgrade to 11.4.3-1. # pacman -Syu "gitlab>=11.4.3-1" The problems have been fixed upstream in version 11.4.3. Workaround ========== None. Description =========== - CVE-2018-18640 (information disclosure) A security issue has been found in gitlab versions prior to 11.4.3, where private project pages had inadequate cache control, which resulted in unauthorized users being able to view them in the browser. - CVE-2018-18641 (information disclosure) A security issue has been found in gitlab versions prior to 11.4.3, where personal access tokens were being stored unencrypted as plain text in the database which could result in attackers potentially reading them via SQL injection or other database leaks. - CVE-2018-18643 (cross-site scripting) A security issue has been found in gitlab versions prior to 11.4.3, where the fragment identifier (hash) of several pages contained a lack of input validation and output encoding issue which resulted in a persistent XSS. - CVE-2018-18645 (information disclosure) A security issue has been found in gitlab versions prior to 11.4.3, where when replying to an issue through email, with the GitLab email footer included, a user's unsubscribe link would be included in the issue. This information is considered sensitive. - CVE-2018-18646 (cross-site request forgery) A security issue has been found in gitlab versions prior to 11.4.3, where the Hipchat integration was vulnerable to a SSRF issue which allowed an attacker to make requests to any local network resource accessible from the GitLab server. - CVE-2018-18648 (information disclosure) A security issue has been found in gitlab versions prior to 11.4.3, where a JSON endpoint was disclosing Gem version information which could result in an attacker discovering vulnerable Gems available on a specific GitLab instance. - CVE-2018-18649 (arbitrary code execution) A security issue has been found in gitlab versions prior to 11.4.3, where the wiki API contained an input validation issue which resulted in remote code execution. Impact ====== A remote attacker is able to execute arbitrary code, disclose information, perform cross-site request forgery or cross-site scripting. References ========== https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-r... https://gitlab.com/gitlab-org/gitlab-ce/commit/5e125b0f84ad768d7ff19905d0382... https://gitlab.com/gitlab-org/gitlab-ce/commit/daed01a5ca348e7d267b50e325bf5... https://gitlab.com/gitlab-org/gitlab-ce/commit/5342df04045e1c8a98fdb9fe8203a... https://gitlab.com/gitlab-org/gitlab-ce/commit/82c12bd8bf9e0ea9e8df3bbcad91c... https://gitlab.com/gitlab-org/gitlab-ce/commit/f17e36feab266a62b316bfe88d7d5... https://gitlab.com/gitlab-org/gitlab-ce/commit/b9b68fe7d30778338625fb606457e... https://gitlab.com/gitlab-org/gitlab-ce/commit/e05636e2794d975876958c3781b66... https://security.archlinux.org/CVE-2018-18640 https://security.archlinux.org/CVE-2018-18641 https://security.archlinux.org/CVE-2018-18643 https://security.archlinux.org/CVE-2018-18645 https://security.archlinux.org/CVE-2018-18646 https://security.archlinux.org/CVE-2018-18648 https://security.archlinux.org/CVE-2018-18649