[ASA-202112-10] gitlab: multiple issues

Jonas Witschel diabonas at archlinux.org
Sun Dec 12 21:11:39 UTC 2021


Arch Linux Security Advisory ASA-202112-10
==========================================

Severity: High
Date    : 2021-12-11
CVE-ID  : CVE-2021-39910 CVE-2021-39915 CVE-2021-39917 CVE-2021-39919
          CVE-2021-39931 CVE-2021-39932 CVE-2021-39933 CVE-2021-39934
          CVE-2021-39935 CVE-2021-39936 CVE-2021-39937 CVE-2021-39938
          CVE-2021-39940 CVE-2021-39941 CVE-2021-39944 CVE-2021-39945
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2603

Summary
=======

The package gitlab before version 14.5.2-1 is vulnerable to multiple
issues including privilege escalation, access restriction bypass,
denial of service, information disclosure and content spoofing.

Resolution
==========

Upgrade to 14.5.2-1.

# pacman -Syu "gitlab>=14.5.2-1"

The problems have been fixed upstream in version 14.5.2.

Workaround
==========

None.

Description
===========

- CVE-2021-39910 (content spoofing)

An issue has been discovered in GitLab before version 14.5.2. GitLab
was vulnerable to HTML Injection through the Swagger UI feature.

- CVE-2021-39915 (information disclosure)

Improper access control in the GraphQL API in GitLab before version
14.5.2 allows an attacker to see the names of project access tokens on
arbitrary projects.

- CVE-2021-39917 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. A regular
expression related to quick actions features was susceptible to
catastrophic backtracking that could cause a denial of service attack.

- CVE-2021-39919 (information disclosure)

In all versions of GitLab before version 14.5.2, the reset password
token and new user email token are accidentally logged which may lead
to information disclosure.

- CVE-2021-39931 (access restriction bypass)

An issue has been discovered in GitLab before version 14.5.2. Under
specific condition an unauthorised project member was allowed to delete
a protected branches due to a business logic error.

- CVE-2021-39932 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. Using
large payloads, the diff feature could be used to trigger high load
time for users reviewing code changes.

- CVE-2021-39933 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. A regular
expression used for handling user input (notes, comments, etc) was
susceptible to catastrophic backtracking that could cause a denial of
service attack.

- CVE-2021-39934 (information disclosure)

Improper access control allows any project member to retrieve the
service desk email address in GitLab before version 14.5.2.

- CVE-2021-39935 (access restriction bypass)

An issue has been discovered in GitLab before version 14.5.2.
Unauthorized external users could perform Server Side Requests via the
CI Lint API.

- CVE-2021-39936 (access restriction bypass)

Improper access control in GitLab before version 14.5.2 allows an
attacker in possession of a deploy token to access a project's disabled
wiki.

- CVE-2021-39937 (privilege escalation)

A collision in access memoization logic in all versions of GitLab
before version 14.5.2 leads to potential elevated privileges in groups
and projects under rare circumstances.

- CVE-2021-39938 (denial of service)

A vulnerable regular expression pattern in GitLab before version 14.5.2
allows an attacker to cause uncontrolled resource consumption leading
to Denial of Service via specially crafted deploy Slash commands.

- CVE-2021-39940 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. GitLab
Maven Package registry is vulnerable to a regular expression denial of
service when a specifically crafted string is sent.

- CVE-2021-39941 (information disclosure)

An information disclosure vulnerability in GitLab before version 14.5.2
allowed non-project members to see the default branch name for projects
that restrict access to the repository to project members.

- CVE-2021-39944 (privilege escalation)

An issue has been discovered in GitLab before version 14.5.2. A
permissions validation flaw allowed group members with a developer role
to elevate their privilege to a maintainer on projects they import.

- CVE-2021-39945 (access restriction bypass)

Improper access control in the GitLab API affecting all versions before
version 14.5.2 allows an author of a Merge Request to approve the Merge
Request even after having their project access revoked.

Impact
======

A remote attacker could elevate their privileges, bypass access
restrictions, disclose sensitive information, spoof content or cause
high resource consumption leading to denial of service.

References
==========

https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/
https://security.archlinux.org/CVE-2021-39910
https://security.archlinux.org/CVE-2021-39915
https://security.archlinux.org/CVE-2021-39917
https://security.archlinux.org/CVE-2021-39919
https://security.archlinux.org/CVE-2021-39931
https://security.archlinux.org/CVE-2021-39932
https://security.archlinux.org/CVE-2021-39933
https://security.archlinux.org/CVE-2021-39934
https://security.archlinux.org/CVE-2021-39935
https://security.archlinux.org/CVE-2021-39936
https://security.archlinux.org/CVE-2021-39937
https://security.archlinux.org/CVE-2021-39938
https://security.archlinux.org/CVE-2021-39940
https://security.archlinux.org/CVE-2021-39941
https://security.archlinux.org/CVE-2021-39944
https://security.archlinux.org/CVE-2021-39945
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20211212/417f01e0/attachment.sig>


More information about the arch-security mailing list