UPDATED GitLab has pushed out a significant security release that addresses multiple flaws including an arbitrary file read issue rated as ‘critical’ and two high-impact vulnerabilities.
An update to the popular version control platform released this week tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.
Users of the DevOps platform are strongly urged to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE) in order to safeguard their environments.
The release also offers relief from seven moderate severity and two lower risk security bugs.
Coordinated disclosure
All three of the higher severity flaws were reported to GitLab by ethical hackers through a bug bounty program operated by HackerOne.
The Daily Swig reached out to all three security researchers for more information but we’re yet to hear anything back.
GitLab has published a security notification that summarizes the content of its security updates, but without going into great detail.
According to GitLab’s summary, the arbitrary file read vulnerability stemmed from incorrect file handling and involved the group import feature.
One of the high severity issues (tracked as CVE-2021-39946) meant it was possible to abuse the generation of HTML code related to emojis to uncover a stored XSS vulnerability in the notes feature of GitLab. “Improper neutralization of user input” was to blame for the issue, according to GitLab.
The other high severity vulnerability left GitLab instances vulnerable to a cross-site request forgery (CSRF) attack that “allows a malicious user to have their GitHub project imported on another GitLab user account”.
The root cause of the problem (CVE-2022-0154) was a lack of state parameter on GitHub import project OAuth.
In response to queries from The Daily Swig,GitLab commented on how it works with ethical hackers to identify security problems.
The GitLab Bug Bounty Program, and the talented bug bounty reporters from across the globe help us strengthen our product through the identification of security vulnerabilities. In February of 2021, GitLab moved to a managed bug bounty program with HackerOne. This enables us to scale our report triage process, filter out the noise, attract the best bounty hunters from around the world and ultimately present the most important reports to our security and development teams faster.
GitLab’s security update this week its the latest edition of its monthly, scheduled security releases. These normally follow a week or so after updates that introduce new features.
This story was updated to add comment from GitLab
Source: https://portswigger.net/daily-swig/gitlab-shifts-left-to-patch-high-impact-vulnerabilities