[ASA-202101-10] gitlab: multiple issues
Arch Linux Security Advisory ASA-202101-10 ========================================== Severity: High Date : 2021-01-12 CVE-ID : CVE-2020-26414 CVE-2021-22166 CVE-2021-22167 CVE-2021-22168 CVE-2021-22171 Package : gitlab Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1416 Summary ======= The package gitlab before version 13.7.2-1 is vulnerable to multiple issues including authentication bypass, denial of service and information disclosure. Resolution ========== Upgrade to 13.7.2-1. # pacman -Syu "gitlab>=13.7.2-1" The problems have been fixed upstream in version 13.7.2. Workaround ========== None. Description =========== - CVE-2020-26414 (denial of service) An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string. The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6. - CVE-2021-22166 (denial of service) An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method. The issue is mitigated in GitLab version 13.7.2. - CVE-2021-22167 (information disclosure) An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers within a specific project page allow attackers to have temporary read access to a public repository with project features restricted only to members. The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6. - CVE-2021-22168 (denial of service) A regular expression denial of service issue has been discovered in the NuGet API affecting all versions of GitLab starting from version 12.8. The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6. - CVE-2021-22171 (authentication bypass) Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ would allow stealing a user's API access token. The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6. Note: A way to bypass the fix released in GitLab version 13.7.2, 13.6.4, and 13.5.6 has been found and was subsequently fixed in version 13.7.4, 13.6.5, and 13.5.7. Impact ====== A malicious authenticated user might crash the application through a malformed HTTP request or project name, bypass authentication or disclose private information. References ========== https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-... https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-... https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-... https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-... https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-... https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-... https://gitlab.com/gitlab-org/gitlab-foss/-/commit/fa70ce1068babe592d348497c... https://gitlab.com/gitlab-org/gitlab-foss/-/commit/e861919633e0aac16509c0415... https://security.archlinux.org/CVE-2020-26414 https://security.archlinux.org/CVE-2021-22166 https://security.archlinux.org/CVE-2021-22167 https://security.archlinux.org/CVE-2021-22168 https://security.archlinux.org/CVE-2021-22171
participants (1)
-
Morten Linderud