Arch Linux Security Advisory ASA-202112-10
=========================================
Severity: High
Date    : 2021-12-11
CVE-ID  : CVE-2021-39910 CVE-2021-39915 CVE-2021-39917 CVE-2021-39919
          CVE-2021-39931 CVE-2021-39932 CVE-2021-39933 CVE-2021-39934
          CVE-2021-39935 CVE-2021-39936 CVE-2021-39937 CVE-2021-39938
          CVE-2021-39940 CVE-2021-39941 CVE-2021-39944 CVE-2021-39945
Package : gitlab
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2603

Summary
======
The package gitlab before version 14.5.2-1 is vulnerable to multiple
issues including privilege escalation, access restriction bypass,
denial of service, information disclosure and content spoofing.

Resolution
=========
Upgrade to 14.5.2-1.

# pacman -Syu "gitlab>=14.5.2-1"

The problems have been fixed upstream in version 14.5.2.

Workaround
=========
None.

Description
==========
- CVE-2021-39910 (content spoofing)

An issue has been discovered in GitLab before version 14.5.2. GitLab
was vulnerable to HTML Injection through the Swagger UI feature.

- CVE-2021-39915 (information disclosure)

Improper access control in the GraphQL API in GitLab before version
14.5.2 allows an attacker to see the names of project access tokens on
arbitrary projects.

- CVE-2021-39917 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. A regular
expression related to quick actions features was susceptible to
catastrophic backtracking that could cause a denial of service attack.

- CVE-2021-39919 (information disclosure)

In all versions of GitLab before version 14.5.2, the reset password
token and new user email token are accidentally logged which may lead
to information disclosure.

- CVE-2021-39931 (access restriction bypass)

An issue has been discovered in GitLab before version 14.5.2. Under
specific condition an unauthorised project member was allowed to delete
a protected branches due to a business logic error.

- CVE-2021-39932 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. Using
large payloads, the diff feature could be used to trigger high load
time for users reviewing code changes.

- CVE-2021-39933 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. A regular
expression used for handling user input (notes, comments, etc) was
susceptible to catastrophic backtracking that could cause a denial of
service attack.

- CVE-2021-39934 (information disclosure)

Improper access control allows any project member to retrieve the
service desk email address in GitLab before version 14.5.2.

- CVE-2021-39935 (access restriction bypass)

An issue has been discovered in GitLab before version 14.5.2.
Unauthorized external users could perform Server Side Requests via the
CI Lint API.

- CVE-2021-39936 (access restriction bypass)

Improper access control in GitLab before version 14.5.2 allows an
attacker in possession of a deploy token to access a project's disabled
wiki.

- CVE-2021-39937 (privilege escalation)

A collision in access memoization logic in all versions of GitLab
before version 14.5.2 leads to potential elevated privileges in groups
and projects under rare circumstances.

- CVE-2021-39938 (denial of service)

A vulnerable regular expression pattern in GitLab before version 14.5.2
allows an attacker to cause uncontrolled resource consumption leading
to Denial of Service via specially crafted deploy Slash commands.

- CVE-2021-39940 (denial of service)

An issue has been discovered in GitLab before version 14.5.2. GitLab
Maven Package registry is vulnerable to a regular expression denial of
service when a specifically crafted string is sent.

- CVE-2021-39941 (information disclosure)

An information disclosure vulnerability in GitLab before version 14.5.2
allowed non-project members to see the default branch name for projects
that restrict access to the repository to project members.

- CVE-2021-39944 (privilege escalation)

An issue has been discovered in GitLab before version 14.5.2. A
permissions validation flaw allowed group members with a developer role
to elevate their privilege to a maintainer on projects they import.

- CVE-2021-39945 (access restriction bypass)

Improper access control in the GitLab API affecting all versions before
version 14.5.2 allows an author of a Merge Request to approve the Merge
Request even after having their project access revoked.

Impact
=====
A remote attacker could elevate their privileges, bypass access
restrictions, disclose sensitive information, spoof content or cause
high resource consumption leading to denial of service.

References
=========
https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/
https://security.archlinux.org/CVE-2021-39910
https://security.archlinux.org/CVE-2021-39915
https://security.archlinux.org/CVE-2021-39917
https://security.archlinux.org/CVE-2021-39919
https://security.archlinux.org/CVE-2021-39931
https://security.archlinux.org/CVE-2021-39932
https://security.archlinux.org/CVE-2021-39933
https://security.archlinux.org/CVE-2021-39934
https://security.archlinux.org/CVE-2021-39935
https://security.archlinux.org/CVE-2021-39936
https://security.archlinux.org/CVE-2021-39937
https://security.archlinux.org/CVE-2021-39938
https://security.archlinux.org/CVE-2021-39940
https://security.archlinux.org/CVE-2021-39941
https://security.archlinux.org/CVE-2021-39944
https://security.archlinux.org/CVE-2021-39945

ArchLinux: 202112-10: gitlab: multiple issues

December 12, 2021

Summary

- CVE-2021-39910 (content spoofing) An issue has been discovered in GitLab before version 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.
- CVE-2021-39915 (information disclosure)
Improper access control in the GraphQL API in GitLab before version 14.5.2 allows an attacker to see the names of project access tokens on arbitrary projects.
- CVE-2021-39917 (denial of service)
An issue has been discovered in GitLab before version 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a denial of service attack.
- CVE-2021-39919 (information disclosure)
In all versions of GitLab before version 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
- CVE-2021-39931 (access restriction bypass)
An issue has been discovered in GitLab before version 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error.
- CVE-2021-39932 (denial of service)
An issue has been discovered in GitLab before version 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.
- CVE-2021-39933 (denial of service)
An issue has been discovered in GitLab before version 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a denial of service attack.
- CVE-2021-39934 (information disclosure)
Improper access control allows any project member to retrieve the service desk email address in GitLab before version 14.5.2.
- CVE-2021-39935 (access restriction bypass)
An issue has been discovered in GitLab before version 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API.
- CVE-2021-39936 (access restriction bypass)
Improper access control in GitLab before version 14.5.2 allows an attacker in possession of a deploy token to access a project's disabled wiki.
- CVE-2021-39937 (privilege escalation)
A collision in access memoization logic in all versions of GitLab before version 14.5.2 leads to potential elevated privileges in groups and projects under rare circumstances.
- CVE-2021-39938 (denial of service)
A vulnerable regular expression pattern in GitLab before version 14.5.2 allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands.
- CVE-2021-39940 (denial of service)
An issue has been discovered in GitLab before version 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent.
- CVE-2021-39941 (information disclosure)
An information disclosure vulnerability in GitLab before version 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members.
- CVE-2021-39944 (privilege escalation)
An issue has been discovered in GitLab before version 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import.
- CVE-2021-39945 (access restriction bypass)
Improper access control in the GitLab API affecting all versions before version 14.5.2 allows an author of a Merge Request to approve the Merge Request even after having their project access revoked.

Resolution

Upgrade to 14.5.2-1. # pacman -Syu "gitlab>=14.5.2-1"
The problems have been fixed upstream in version 14.5.2.

References

https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ https://security.archlinux.org/CVE-2021-39910 https://security.archlinux.org/CVE-2021-39915 https://security.archlinux.org/CVE-2021-39917 https://security.archlinux.org/CVE-2021-39919 https://security.archlinux.org/CVE-2021-39931 https://security.archlinux.org/CVE-2021-39932 https://security.archlinux.org/CVE-2021-39933 https://security.archlinux.org/CVE-2021-39934 https://security.archlinux.org/CVE-2021-39935 https://security.archlinux.org/CVE-2021-39936 https://security.archlinux.org/CVE-2021-39937 https://security.archlinux.org/CVE-2021-39938 https://security.archlinux.org/CVE-2021-39940 https://security.archlinux.org/CVE-2021-39941 https://security.archlinux.org/CVE-2021-39944 https://security.archlinux.org/CVE-2021-39945

Severity
CVE-2021-39931 CVE-2021-39932 CVE-2021-39933 CVE-2021-39934
CVE-2021-39935 CVE-2021-39936 CVE-2021-39937 CVE-2021-39938
CVE-2021-39940 CVE-2021-39941 CVE-2021-39944 CVE-2021-39945
Package : gitlab
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2603

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved