Arch Linux Security Advisory ASA-202106-21 ========================================== Severity: High Date : 2021-06-09 CVE-ID : CVE-2021-22181 CVE-2021-22213 CVE-2021-22214 CVE-2021-22216 CVE-2021-22217 CVE-2021-22218 CVE-2021-22219 CVE-2021-22220 CVE-2021-22221 Package : gitlab Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2023 Summary ======= The package gitlab before version 13.12.2-1 is vulnerable to multiple issues including denial of service, information disclosure, access restriction bypass, authentication bypass, cross-site scripting and content spoofing. Resolution ========== Upgrade to 13.12.2-1. # pacman -Syu "gitlab>=13.12.2-1" The problems have been fixed upstream in version 13.12.2. Workaround ========== None. Description =========== - CVE-2021-22181 (denial of service) A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 before 13.12.2 allows an attacker to create a recursive pipeline relationship and exhaust resources. - CVE-2021-22213 (information disclosure) A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 before 13.12.2 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari. - CVE-2021-22214 (access restriction bypass) When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 before 13.12.2 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited. - CVE-2021-22216 (denial of service) A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description. - CVE-2021-22217 (denial of service) A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request. - CVE-2021-22218 (content spoofing) All versions of GitLab CE/EE starting with 12.8 before 13.12.2 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits. - CVE-2021-22219 (information disclosure) GitLab CE/EE since version 9.5 before 13.12.2 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking. - CVE-2021-22220 (cross-site scripting) An issue has been discovered in GitLab affecting all versions starting with 13.10 before 13.12.2. GitLab was vulnerable to a stored cross-site scripting (XSS) attack in the blob viewer of notebooks. - CVE-2021-22221 (authentication bypass) An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.12.2. Insufficient expired password validation in various operations allowed users to maintain limited access after their password expired. Impact ====== A remote attacker could disclose sensitive information, bypass authentication, execute JavaScript code using cross-site scripting, spoof content or crash the GitLab server. References ========== https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/ https://gitlab.com/gitlab-org/gitlab/-/issues/300308 https://hackerone.com/reports/1089277 https://gitlab.com/gitlab-org/gitlab/-/issues/322926 https://hackerone.com/reports/1110131 https://gitlab.com/gitlab-org/gitlab/-/issues/329890 https://gitlab.com/gitlab-org/gitlab/-/issues/300709 https://hackerone.com/reports/1090049 https://gitlab.com/gitlab-org/gitlab/-/issues/297665 https://hackerone.com/reports/1077019 https://gitlab.com/gitlab-org/gitlab/-/issues/296995 https://gitlab.com/gitlab-org/gitlab/-/issues/294128 https://hackerone.com/reports/1060114 https://gitlab.com/gitlab-org/gitlab/-/issues/292006 https://security.archlinux.org/CVE-2021-22181 https://security.archlinux.org/CVE-2021-22213 https://security.archlinux.org/CVE-2021-22214 https://security.archlinux.org/CVE-2021-22216 https://security.archlinux.org/CVE-2021-22217 https://security.archlinux.org/CVE-2021-22218 https://security.archlinux.org/CVE-2021-22219 https://security.archlinux.org/CVE-2021-22220 https://security.archlinux.org/CVE-2021-22221