[ASA-202102-11] gitlab: information disclosure

Remi Gacogne rgacogne at archlinux.org
Fri Feb 12 07:05:43 UTC 2021


Arch Linux Security Advisory ASA-202102-11
==========================================

Severity: Medium
Date    : 2021-02-06
CVE-ID  : CVE-2021-22172
Package : gitlab
Type    : information disclosure
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1521

Summary
=======

The package gitlab before version 13.8.2-1 is vulnerable to information
disclosure.

Resolution
==========

Upgrade to 13.8.2-1.

# pacman -Syu "gitlab>=13.8.2-1"

The problem has been fixed upstream in version 13.8.2.

Workaround
==========

None.

Description
===========

Improper authorization in GitLab 12.8+ allows a guest user in a private
project to view tag data that should be inaccessible on the releases
page. The issue is fixed in versions 13.8.2, 13.7.6 and 13.6.6.

Impact
======

A guest user can view tag data that should be inaccessible on the
releases page of a private project.

References
==========

https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/
https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/#guest-user-can-see-tag-names-in-private-projects
https://gitlab.com/gitlab-org/gitlab-foss/-/commit/41b1c0469dba622a1c2c67c17f1f5e491573accf
https://security.archlinux.org/CVE-2021-22172

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210212/f6d9cd30/attachment.sig>


More information about the arch-security mailing list