[manjaro-security] [ASA-201810-16] gitlab: multiple issues

Jelle van der Waa jelle at archlinux.org
Wed Oct 31 11:04:31 CET 2018


Arch Linux Security Advisory ASA-201810-16
==========================================

Severity: Critical
Date    : 2018-10-31
CVE-ID  : CVE-2018-18640 CVE-2018-18641 CVE-2018-18643 CVE-2018-18645
          CVE-2018-18646 CVE-2018-18648 CVE-2018-18649
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-794

Summary
=======

The package gitlab before version 11.4.3-1 is vulnerable to multiple
issues including arbitrary code execution, cross-site request forgery,
cross-site scripting and information disclosure.

Resolution
==========

Upgrade to 11.4.3-1.

# pacman -Syu "gitlab>=11.4.3-1"

The problems have been fixed upstream in version 11.4.3.

Workaround
==========

None.

Description
===========

- CVE-2018-18640 (information disclosure)

A security issue has been found in gitlab versions prior to 11.4.3,
where private project pages had inadequate cache control, which
resulted in unauthorized users being able to view them in the browser.

- CVE-2018-18641 (information disclosure)

A security issue has been found in gitlab versions prior to 11.4.3,
where personal access tokens were being stored unencrypted as plain
text in the database which could result in attackers potentially
reading them via SQL injection or other database leaks.

- CVE-2018-18643 (cross-site scripting)

A security issue has been found in gitlab versions prior to 11.4.3,
where the fragment identifier (hash) of several pages contained a lack
of input validation and output encoding issue which resulted in a
persistent XSS.

- CVE-2018-18645 (information disclosure)

A security issue has been found in gitlab versions prior to 11.4.3,
where when replying to an issue through email, with the GitLab email
footer included, a user's unsubscribe link would be included in the
issue. This information is considered sensitive.

- CVE-2018-18646 (cross-site request forgery)

A security issue has been found in gitlab versions prior to 11.4.3,
where the Hipchat integration was vulnerable to a SSRF issue which
allowed an attacker to make requests to any local network resource
accessible from the GitLab server.

- CVE-2018-18648 (information disclosure)

A security issue has been found in gitlab versions prior to 11.4.3,
where a JSON endpoint was disclosing Gem version information which
could result in an attacker discovering vulnerable Gems available on a
specific GitLab instance.

- CVE-2018-18649 (arbitrary code execution)

A security issue has been found in gitlab versions prior to 11.4.3,
where the wiki API contained an input validation issue which resulted
in remote code execution.

Impact
======

A remote attacker is able to execute arbitrary code, disclose
information, perform cross-site request forgery or cross-site
scripting.

References
==========

https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/
https://gitlab.com/gitlab-org/gitlab-ce/commit/5e125b0f84ad768d7ff19905d03820f561c21f98
https://gitlab.com/gitlab-org/gitlab-ce/commit/daed01a5ca348e7d267b50e325bf58185617a0ad
https://gitlab.com/gitlab-org/gitlab-ce/commit/5342df04045e1c8a98fdb9fe8203a816bf240ac8
https://gitlab.com/gitlab-org/gitlab-ce/commit/82c12bd8bf9e0ea9e8df3bbcad91c27fccc709e8
https://gitlab.com/gitlab-org/gitlab-ce/commit/f17e36feab266a62b316bfe88d7d558c2debaf9b
https://gitlab.com/gitlab-org/gitlab-ce/commit/b9b68fe7d30778338625fb606457eb1886a17f08
https://gitlab.com/gitlab-org/gitlab-ce/commit/e05636e2794d975876958c3781b66de2991d89d2
https://security.archlinux.org/CVE-2018-18640
https://security.archlinux.org/CVE-2018-18641
https://security.archlinux.org/CVE-2018-18643
https://security.archlinux.org/CVE-2018-18645
https://security.archlinux.org/CVE-2018-18646
https://security.archlinux.org/CVE-2018-18648
https://security.archlinux.org/CVE-2018-18649
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20181031/570ad677/attachment.sig>


More information about the manjaro-security mailing list