Arch Linux Security Advisory ASA-202108-7 ========================================= Severity: High Date : 2021-08-10 CVE-ID : CVE-2021-22236 CVE-2021-22237 CVE-2021-22239 CVE-2021-22241 Package : gitlab Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2251 Summary ======= The package gitlab before version 14.1.2-1 is vulnerable to multiple issues including cross-site scripting, access restriction bypass and incorrect calculation. Resolution ========== Upgrade to 14.1.2-1. # pacman -Syu "gitlab>=14.1.2-1" The problems have been fixed upstream in version 14.1.2. Workaround ========== None. Description =========== - CVE-2021-22236 (incorrect calculation) Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1 before version 14.1.2. - CVE-2021-22237 (access restriction bypass) Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab versions before 14.1.2. - CVE-2021-22239 (access restriction bypass) An unauthorized user was able to insert metadata when creating a new issue on GitLab 14.0 and later before version 14.1.2. - CVE-2021-22241 (cross-site scripting) An issue has been discovered in GitLab affecting all versions starting from 13.4 and before 14.1.2. It was possible to exploit a stored cross- site-scripting via a specifically crafted default branch name. Impact ====== A remote attacker could execute arbitrary JavaScript code through a crafted branch name, or bypass access restrictions to perform various actions they are not authorised for. References ========== https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/ https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/#new-subscriptions-generate-oauth-tokens-on-an-incorrect-oauth-client-application https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/#perform-git-actions-with-an-impersonation-token-even-if-impersonation-is-disabled https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/#unauthorised-user-was-able-to-add-meta-data-upon-issue-creation https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/#stored-xss-in-default-branch-name https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22241.json https://gitlab.com/gitlab-org/gitlab/-/issues/336460 https://hackerone.com/reports/1256777 https://security.archlinux.org/CVE-2021-22236 https://security.archlinux.org/CVE-2021-22237 https://security.archlinux.org/CVE-2021-22239 https://security.archlinux.org/CVE-2021-22241