Arch Linux Security Advisory ASA-201810-16 ========================================== Severity: Critical Date : 2018-10-31 CVE-ID : CVE-2018-18640 CVE-2018-18641 CVE-2018-18643 CVE-2018-18645 CVE-2018-18646 CVE-2018-18648 CVE-2018-18649 Package : gitlab Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-794 Summary ======= The package gitlab before version 11.4.3-1 is vulnerable to multiple issues including arbitrary code execution, cross-site request forgery, cross-site scripting and information disclosure. Resolution ========== Upgrade to 11.4.3-1. # pacman -Syu "gitlab>=11.4.3-1" The problems have been fixed upstream in version 11.4.3. Workaround ========== None. Description =========== - CVE-2018-18640 (information disclosure) A security issue has been found in gitlab versions prior to 11.4.3, where private project pages had inadequate cache control, which resulted in unauthorized users being able to view them in the browser. - CVE-2018-18641 (information disclosure) A security issue has been found in gitlab versions prior to 11.4.3, where personal access tokens were being stored unencrypted as plain text in the database which could result in attackers potentially reading them via SQL injection or other database leaks. - CVE-2018-18643 (cross-site scripting) A security issue has been found in gitlab versions prior to 11.4.3, where the fragment identifier (hash) of several pages contained a lack of input validation and output encoding issue which resulted in a persistent XSS. - CVE-2018-18645 (information disclosure) A security issue has been found in gitlab versions prior to 11.4.3, where when replying to an issue through email, with the GitLab email footer included, a user's unsubscribe link would be included in the issue. This information is considered sensitive. - CVE-2018-18646 (cross-site request forgery) A security issue has been found in gitlab versions prior to 11.4.3, where the Hipchat integration was vulnerable to a SSRF issue which allowed an attacker to make requests to any local network resource accessible from the GitLab server. - CVE-2018-18648 (information disclosure) A security issue has been found in gitlab versions prior to 11.4.3, where a JSON endpoint was disclosing Gem version information which could result in an attacker discovering vulnerable Gems available on a specific GitLab instance. - CVE-2018-18649 (arbitrary code execution) A security issue has been found in gitlab versions prior to 11.4.3, where the wiki API contained an input validation issue which resulted in remote code execution. Impact ====== A remote attacker is able to execute arbitrary code, disclose information, perform cross-site request forgery or cross-site scripting. References ========== https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ https://gitlab.com/gitlab-org/gitlab-ce/commit/5e125b0f84ad768d7ff19905d03820f561c21f98 https://gitlab.com/gitlab-org/gitlab-ce/commit/daed01a5ca348e7d267b50e325bf58185617a0ad https://gitlab.com/gitlab-org/gitlab-ce/commit/5342df04045e1c8a98fdb9fe8203a816bf240ac8 https://gitlab.com/gitlab-org/gitlab-ce/commit/82c12bd8bf9e0ea9e8df3bbcad91c27fccc709e8 https://gitlab.com/gitlab-org/gitlab-ce/commit/f17e36feab266a62b316bfe88d7d558c2debaf9b https://gitlab.com/gitlab-org/gitlab-ce/commit/b9b68fe7d30778338625fb606457eb1886a17f08 https://gitlab.com/gitlab-org/gitlab-ce/commit/e05636e2794d975876958c3781b66de2991d89d2 https://security.archlinux.org/CVE-2018-18640 https://security.archlinux.org/CVE-2018-18641 https://security.archlinux.org/CVE-2018-18643 https://security.archlinux.org/CVE-2018-18645 https://security.archlinux.org/CVE-2018-18646 https://security.archlinux.org/CVE-2018-18648 https://security.archlinux.org/CVE-2018-18649