Updated version control packages close vulnerabilities in GitLab CE and EE. A vulnerability receives the risk classification “critical”.
The developers of the version control software GitLab have released updated packages that fix multiple vulnerabilities—eight in total. They even classify one of them as critical. Both the Community Edition and the Enterprise Edition are available in a new version.
The vulnerability, which is classified as critical, could allow attackers to take over accounts. However, this requires a few side conditions: GitLab supports single sign-on procedures to authenticate users. In the Premium Plus subscription version there is a function “Group SAML SSO”. The abbreviation SAML stands for the “Security Assertion Markup Language”, an XML format for exchanging authorization information. GitLab allows enabling SSO authentication for groups.
Critical leak in GitLab premium feature
Owners of a premium group could assign any user with a username and email address invite. The e-mail address was then checked using “System for Cross-domain Identity Management” (SCIM) to exchange identity information to an address controlled by malicious actors. After all, they could have taken over these accounts due to the lack of two-factor authentication, the GitLab developers write in their version message (CVE-2022-1680, CVSS 9.9, risk “critical).
Due to missing input checks in so-called “Quick Actions” people with malicious intent could have exploited a cross-site scripting (XSS) vulnerability to inject HTML into contact details. The developers classify this as a vulnerability with a high degree of severity (CVE-2022-1948, CVSS 8.7, high). In the Jira integration in GitLab EE, attackers could also have manipulated Jira Issue entries to inject arbitrary JavaScript code that would have been executed with the victim’s rights (CVE-2022-1940, CVSS 7.7), high).
Another four medium-severity vulnerabilities close the new versions. Two of them made it possible to bypass the “IP allowlist”, i.e. to access permitted IP addresses (CVE-2022-1935 and CVE-2022-1936, CVSS 6.5, medium ). One of these bugs concerns insufficient authorization in the Interactive Web Terminal (CVE-2022-1944 CVSS 5.4, medium). The fourth vulnerability allowed members in subgroups to list the members of the parent group (CVE-2022-1821, CVSS 4.3, medium).
As low At risk, the programmers classified a vulnerability that would have allowed malicious group managers to add group members even though the list was closed by the group owner (CVE-2022-1783, CVSS 2.7, low ).
New versions of version management
The bugs affect GitLab CE and EE before the new versions 15.0.1, 14.10.4 and 14.9.5. The versions for various platforms are available on the update page of the GitLab project, such as the “Omnibus” mentioned package for Linux, but also for Kubernetes or Docker. The updates are also available for GitLab Runner.
Due to the severity of some of the closed vulnerabilities, administrators should schedule a maintenance period for installing the updates as soon as possible.
