[ASA-202101-10] gitlab: multiple issues

Morten Linderud foxboron at archlinux.org
Fri Jan 15 21:08:17 UTC 2021


Arch Linux Security Advisory ASA-202101-10
==========================================

Severity: High
Date    : 2021-01-12
CVE-ID  : CVE-2020-26414 CVE-2021-22166 CVE-2021-22167 CVE-2021-22168
          CVE-2021-22171
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1416

Summary
=======

The package gitlab before version 13.7.2-1 is vulnerable to multiple
issues including authentication bypass, denial of service and
information disclosure.

Resolution
==========

Upgrade to 13.7.2-1.

# pacman -Syu "gitlab>=13.7.2-1"

The problems have been fixed upstream in version 13.7.2.

Workaround
==========

None.

Description
===========

- CVE-2020-26414 (denial of service)

An issue has been discovered in GitLab affecting all versions starting
from 12.4. The regex used for package names is written in a way that
makes execution time have quadratic growth based on the length of the
malicious input string. The issue is mitigated in GitLab version
13.7.2, 13.6.4, and 13.5.6.

- CVE-2021-22166 (denial of service)

An attacker could cause a Prometheus denial of service in GitLab 13.7+
by sending an HTTP request with a malformed method. The issue is
mitigated in GitLab version 13.7.2.

- CVE-2021-22167 (information disclosure)

An issue has been discovered in GitLab affecting all versions starting
from 12.1. Incorrect headers within a specific project page allow
attackers to have temporary read access to a public repository with
project features restricted only to members. The issue is mitigated in
GitLab version 13.7.2, 13.6.4, and 13.5.6.

- CVE-2021-22168 (denial of service)

A regular expression denial of service issue has been discovered in the
NuGet API affecting all versions of GitLab starting from version 12.8.
The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6.

- CVE-2021-22171 (authentication bypass)

Insufficient validation of authentication parameters in GitLab Pages
for GitLab 11.5+ would allow stealing a user's API access token. The
issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6.

Note: A way to bypass the fix released in GitLab version 13.7.2,
13.6.4, and 13.5.6 has been found and was subsequently fixed in version
13.7.4, 13.6.5, and 13.5.7.

Impact
======

A malicious authenticated user might crash the application through a
malformed HTTP request or project name, bypass authentication or
disclose private information.

References
==========

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/
https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#regular-expression-denial-of-service-in-package-uploads
https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#prometheus-denial-of-service-via-http-request-with-custom-method
https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#unauthorized-user-is-able-to-access-private-repository-information-under-specific-conditions
https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#regular-expression-denial-of-service-in-nuget-api
https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#ability-to-steal-a-users-api-access-token-through-gitlab-pages
https://gitlab.com/gitlab-org/gitlab-foss/-/commit/fa70ce1068babe592d348497c772f1b5160cbb6e
https://gitlab.com/gitlab-org/gitlab-foss/-/commit/e861919633e0aac16509c0415f71eda69902bff9
https://security.archlinux.org/CVE-2020-26414
https://security.archlinux.org/CVE-2021-22166
https://security.archlinux.org/CVE-2021-22167
https://security.archlinux.org/CVE-2021-22168
https://security.archlinux.org/CVE-2021-22171
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210115/f3037de3/attachment.sig>


More information about the arch-security mailing list