Subject: [ASA-202112-10] gitlab: multiple issues Arch Linux Security Advisory ASA-202112-10 ========================================== Severity: High Date : 2021-12-11 CVE-ID : CVE-2021-39910 CVE-2021-39915 CVE-2021-39917 CVE-2021-39919 CVE-2021-39931 CVE-2021-39932 CVE-2021-39933 CVE-2021-39934 CVE-2021-39935 CVE-2021-39936 CVE-2021-39937 CVE-2021-39938 CVE-2021-39940 CVE-2021-39941 CVE-2021-39944 CVE-2021-39945 Package : gitlab Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2603 Summary ======= The package gitlab before version 14.5.2-1 is vulnerable to multiple issues including privilege escalation, access restriction bypass, denial of service, information disclosure and content spoofing. Resolution ========== Upgrade to 14.5.2-1. # pacman -Syu "gitlab>=14.5.2-1" The problems have been fixed upstream in version 14.5.2. Workaround ========== None. Description =========== - CVE-2021-39910 (content spoofing) An issue has been discovered in GitLab before version 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature. - CVE-2021-39915 (information disclosure) Improper access control in the GraphQL API in GitLab before version 14.5.2 allows an attacker to see the names of project access tokens on arbitrary projects. - CVE-2021-39917 (denial of service) An issue has been discovered in GitLab before version 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a denial of service attack. - CVE-2021-39919 (information disclosure) In all versions of GitLab before version 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. - CVE-2021-39931 (access restriction bypass) An issue has been discovered in GitLab before version 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error. - CVE-2021-39932 (denial of service) An issue has been discovered in GitLab before version 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes. - CVE-2021-39933 (denial of service) An issue has been discovered in GitLab before version 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a denial of service attack. - CVE-2021-39934 (information disclosure) Improper access control allows any project member to retrieve the service desk email address in GitLab before version 14.5.2. - CVE-2021-39935 (access restriction bypass) An issue has been discovered in GitLab before version 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API. - CVE-2021-39936 (access restriction bypass) Improper access control in GitLab before version 14.5.2 allows an attacker in possession of a deploy token to access a project's disabled wiki. - CVE-2021-39937 (privilege escalation) A collision in access memoization logic in all versions of GitLab before version 14.5.2 leads to potential elevated privileges in groups and projects under rare circumstances. - CVE-2021-39938 (denial of service) A vulnerable regular expression pattern in GitLab before version 14.5.2 allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands. - CVE-2021-39940 (denial of service) An issue has been discovered in GitLab before version 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent. - CVE-2021-39941 (information disclosure) An information disclosure vulnerability in GitLab before version 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members. - CVE-2021-39944 (privilege escalation) An issue has been discovered in GitLab before version 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import. - CVE-2021-39945 (access restriction bypass) Improper access control in the GitLab API affecting all versions before version 14.5.2 allows an author of a Merge Request to approve the Merge Request even after having their project access revoked. Impact ====== A remote attacker could elevate their privileges, bypass access restrictions, disclose sensitive information, spoof content or cause high resource consumption leading to denial of service. References ========== https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ https://security.archlinux.org/CVE-2021-39910 https://security.archlinux.org/CVE-2021-39915 https://security.archlinux.org/CVE-2021-39917 https://security.archlinux.org/CVE-2021-39919 https://security.archlinux.org/CVE-2021-39931 https://security.archlinux.org/CVE-2021-39932 https://security.archlinux.org/CVE-2021-39933 https://security.archlinux.org/CVE-2021-39934 https://security.archlinux.org/CVE-2021-39935 https://security.archlinux.org/CVE-2021-39936 https://security.archlinux.org/CVE-2021-39937 https://security.archlinux.org/CVE-2021-39938 https://security.archlinux.org/CVE-2021-39940 https://security.archlinux.org/CVE-2021-39941 https://security.archlinux.org/CVE-2021-39944 https://security.archlinux.org/CVE-2021-39945