Vulnerabilities detected in Omnibus packages v16.1.0
Summary
Customer has used Ermetic to scan for vulnerabilities at the ec2 level. They've ensured that the Amazon Linux VM is fully up to date with yum update
. The instance is based on ami-0453cb7b5f2b7fca2
(amzn2-ami-hvm-2.0.20210721.2-x86_64-gp2
)
Ermetic has reported the following vulnerabilities:
Vulnerability,CVSS Severity,Has Exploit,Package,Installed Versions,Fixed Versions
CVE-2019-19919,Critical,No,handlebars,1.0.0,4.3.0
CVE-2021-23369,Critical,No,handlebars,1.0.0,4.7.7
CVE-2021-23383,Critical,No,handlebars,1.0.0,4.7.7
CVE-2021-44906,Critical,No,minimist,1.2.5,"0.2.41.2.6"
CVE-2022-40083,Critical,No,github.com/labstack/echo/v4,4.1.11,4.9.0
CVE-2022-41912,Critical,No,github.com/crewjam/saml,v0.4.6-0.20201227203850-bca570abb2ce,0.4.9
Their GitLab version is v16.1.0.
More details, including a more detailed vulnerability report, can be found in the ZenDesk ticket (internal).
Steps to reproduce
Example Project
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)