2019-03-04-security-release-gitlab-11-dot-8-dot-1-released.html.md 12.8 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
---
title: "GitLab Security Release: 11.8.1, 11.7.6, and 11.6.10"
categories: releases
author: James Ritchey
author_gitlab: jritchey
tags: security
---

Today we are releasing versions 11.8.1, 11.7.6, and 11.6.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

<!-- more -->

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

## Arbitrary file read via MergeRequestDiff

A problem with lack of input validation was discovered for MergeRequestDiff objects which resulted in an arbitrary local file read. The issue is now mitigated in the latest release and is assigned [CVE-2019-9221](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9221).

Thanks to [@nyangawa](https://hackerone.com/nyangawa) of Chaitin Tech for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 8.0 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

33
## IDOR add `public`/`internal` groups as members to project
34

35 36 37
An IDOR was discovered which could allow project owners to add `public`/`internal` groups, of which they are not a member, to their project. The issue is now mitigated in the latest release and is assigned [CVE-2019-9756](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9756).

Thanks to [@vijay_kumar1110](https://hackerone.com/vijay_kumar1110) for responsibly reporting this vulnerability to us.
38 39 40

### Versions Affected

41
Affects GitLab CE/EE 10.8.0 and earlier.
42 43 44 45 46

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139
## CSRF add Kubernetes cluster integration

The Kubernetes integration feature was vulnerable to CSRF which could result in overwriting an existing Kubernetes integration with the attacker's cluster. The issue is now mitigated in the latest release and is assigned [CVE-2019-9176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9176).

Thanks to [@cache-money](https://hackerone.com/cache-money) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 10.1 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Blind SSRF in prometheus integration

The prometheus integration feature was vulnerable to SSRF which could result access to internal services. The issue is now mitigated in the latest release and is assigned [CVE-2019-9174](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9174).

Thanks to [@ngalog](https://hackerone.com/ngalog) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 9.0 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Merge request information disclosure

Projects configured with MRs accessible only by project members were subject to information disclosure to non-members via a specific API endpoint. The issue is now mitigated in the latest release and is assigned [CVE-2019-9172](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9172).

Thanks to [@ngalog](https://hackerone.com/ngalog) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 10.7 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## IDOR milestone name information disclosure

The milestone picker was vulnerable to an IDOR which resulted in disclosure of milestone names. The issue is now mitigated in the latest release and is assigned [CVE-2019-9170](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9170).

Thanks to [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 2.9.0 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Burndown chart information disclosure

The burndown chart feature was inadvertently leaking confidential issue attribute information. The issue is now mitigated in the latest release and is assigned [CVE-2019-9175](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9175).

Thanks to [@ngalog](https://hackerone.com/ngalog) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 7.9 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Private merge request titles in public project information disclosure

The milestones tab was inadvertently leaking private merge request titles to the public. The issue is now mitigated in the latest release and is assigned [CVE-2019-9178](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9178).

Thanks to [@ngalog](https://hackerone.com/ngalog) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 8.12 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Private namespace disclosure in email notification when issue is moved

When an issue is moved to a private namespace, the email notification was inadvertently disclosing the project path which it was moved to. The issue is now mitigated in the latest release and is assigned [CVE-2019-9179](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9179).

Thanks to [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 8.7 and later.
140 141 142 143 144 145 146 147 148 149 150 151 152 153

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Users with restricted repo access can access and create discussions on commits

A permissions issue was discovered for access to discussions/notes on commits. The issue is now mitigated in the latest release and is assigned [CVE-2019-9890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9890).

Thanks to [@xanbanx](https://hackerone.com/xanbanx) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 10.8.0 and later.
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Milestone name disclosure  

When a project is public and issues are set to `Only Project Members`, milestone names are able to be disclosed via the milestone autocomplete and board endpoints. These issues are now mitigated in the latest release and are assigned [CVE-2019-9171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9171) and [CVE-2019-9224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9224).

Thanks to [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 8.16 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Issue board name disclosure  

When a project is public and issues are set to `Only Project Members`, issue board names are able to be disclosed via the boards and boards list API endpoints. These issues are now mitigated in the latest release and are assigned [CVE-2019-9225](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9225) and [CVE-2019-9219](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9219).

Thanks to [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) and [@vijay_kumar1110](https://hackerone.com/vijay_kumar1110) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 8.16 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## NPM automatic package referencer

The automatic package referencer contained an issue where victims could be tricked into installing and executing a malicious package from the npm registry. The issue is now mitigated in the latest release and is assigned [CVE-2019-9217](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9217).

Thanks to [@edoverflow](https://hackerone.com/edoverflow) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 8.16 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Path traversal snippet mover

The logic to move snippets contained a path traversal vulnerability which is currently resulting in a denial of service but could result in data exposure. The issue is now mitigated in the latest release and is assigned [CVE-2019-9222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9222).

Thanks to [@pindakaas](https://hackerone.com/pindakaas) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 9.3 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Information disclosure repo existence

An information disclosure was discovered which could allow an attacker to determine the existence of a private repo by attempting to clone it. The issue is now mitigated in the latest release and is assigned [CVE-2019-9223](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9223).

Thanks to [Tim Wanders](https://gitlab.com/tim241) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 8.15 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Issue DoS via Mermaid

An input validation issue was discovered in the issue page markdown field which could result in a DoS on the affected issue. The issue is now mitigated in the latest release and is assigned [CVE-2019-9220](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9220).

Thanks to [@8ayac](https://hackerone.com/8ayac) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 10.2 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Privilege escalation impersonate user

The impersonate user feature contained a vulnerability which could allow for the user being impersonated to escalate privileges. The issue is now mitigated in the latest release and is assigned [CVE-2019-9485](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9485).

Thanks to [@skavans](https://hackerone.com/skavans) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab CE/EE 10.8 and later.

### Remediation

We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.

## Validate InResponseTo when linking GitLab.com Group SAML

GitLab.com is now validating the `InResponseTo` field in the SAML response matches the unique ID we generated for the initial request in order to prevent account hijacking. Note that GitLab.com issues cannot be assigned CVE IDs.

### Versions Affected

Affects GitLab.com Only.

### Remediation

The patch has already been applied to GitLab.com

## Permissions issue GitLab.com Group SAML

Disabling the Group SAML option, after previously enabling it, could still allow users to join via SAML SSO. Note that GitLab.com issues cannot be assigned CVE IDs.

Thanks to [@ngalog](https://hackerone.com/ngalog) for responsibly reporting this vulnerability to us.

### Versions Affected

Affects GitLab.com Only.

### Remediation

The patch has already been applied to GitLab.com

## Omnibus updates

Non-security updates for the `gitlab-ctl restart unicorn` `restart_command` have been applied. Please see https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/3062 for more details regarding this update.

## Updating

To update, check out our [update page](/update).