[ASA-202107-18] gitlab: multiple issues
diabonas at archlinux.org
Fri Jul 9 14:16:44 UTC 2021
Arch Linux Security Advisory ASA-202107-18
Date : 2021-07-06
CVE-ID : CVE-2021-22223 CVE-2021-22224 CVE-2021-22225 CVE-2021-22226
CVE-2021-22227 CVE-2021-22228 CVE-2021-22229 CVE-2021-22230
CVE-2021-22231 CVE-2021-22232 CVE-2021-31799
Package : gitlab
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2125
The package gitlab before version 14.0.3-1 is vulnerable to multiple
issues including cross-site request forgery, access restriction bypass,
arbitrary code execution, arbitrary command execution, cross-site
scripting, information disclosure, content spoofing and denial of
Upgrade to 14.0.3-1.
# pacman -Syu "gitlab>=14.0.3-1"
The problems have been fixed upstream in version 14.0.3.
- CVE-2021-22223 (cross-site scripting)
Client-Side code injection through a Feature Flag name in GitLab CE/EE
starting with 11.9 and before version 14.0.2 allows a specially crafted
feature flag name to PUT requests on behalf of other users via clicking
on a link.
- CVE-2021-22224 (cross-site request forgery)
A cross-site request forgery vulnerability in the GraphQL API in GitLab
since version 13.12 and before version 14.0.2 allowed an attacker to
call mutations as the victim.
- CVE-2021-22225 (cross-site scripting)
Insufficient input sanitization in markdown in GitLab version 13.11 and
up before version 14.0.2 allows an attacker to exploit a stored cross-
site scripting vulnerability via specially-crafted markdown.
- CVE-2021-22226 (access restriction bypass)
Under certain conditions, some users were able to push to protected
branches that were restricted to deploy keys in GitLab CE/EE since
version 13.9 and before version 14.0.2.
- CVE-2021-22227 (cross-site scripting)
A reflected cross-site script vulnerability in GitLab before version
14.0.2 allowed an attacker to send a malicious link to a victim and
trigger actions on their behalf if they clicked it.
- CVE-2021-22228 (information disclosure)
An issue has been discovered in GitLab affecting all versions before
14.0.2. Improper access control allows unauthorised users to access
project details using Graphql.
- CVE-2021-22229 (information disclosure)
An issue has been discovered in GitLab CE/EE affecting all versions
starting with 12.8 and before 14.0.2. Under a special condition it was
possible to access data of an internal repository through a project
fork done by a project member.
- CVE-2021-22230 (arbitrary code execution)
Improper code rendering while rendering merge requests could be
exploited to submit malicious code. This vulnerability affects GitLab
CE/EE 9.3 and later up to 14.0.2.
- CVE-2021-22231 (denial of service)
A denial of service on the user's profile page is found starting with
GitLab CE/EE 8.0 and before 14.0.2 that allows an attacker to reject
access to their profile page by using a specially crafted username.
- CVE-2021-22232 (content spoofing)
HTML injection was possible via the full name field before version
14.0.2 in GitLab CE.
- CVE-2021-31799 (arbitrary command execution)
RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4
and 2.6.8 as well as GitLab before version 14.0.2, used to call
Kernel#open to open a local file. If a Ruby project has a file whose
name starts with "|" and ends with "tags", the command following the
pipe character is executed. A malicious Ruby project could exploit it
to run an arbitrary command execution against a user who attempts to
run the rdoc command.
A remote attacker could execute arbitrary code, disclose sensitive
information, bypass access restrictions, or spoof content.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security