Multiple high-rated Cross-Site Scripting (XSS) vulnerabilities that allow for arbitrary JavaScript Execution are among the many vulnerabilities patched according to GitLab’s latest advisory.
Most are resolved by upgrading to versions 14.1.7, 14.2.5, or 14.3.1.
Background
Approximately 30 vulnerabilities impacting the Git repository manager and DevOps platform GitLab have been disclosed over the last 24 hours. The majority appear to be responsible disclosures of the vulnerabilities recently discussed in this official patch advisory from the 31st of September.
It should be noted for those considering upgrading to 14.3.1 that a 14.3.2 upgrade was released the following day that “resolves an number of regressions and bugs in the 14.3 release” indicating there may be issues with the 14.3.1 version.
Vulnerabilities summary
Below is a brief summary of the 4 “high” rated vulnerabilities recorded on the National Vulnerability Database (NVD). The first 3 are mentioned in the advisory and the 4th appears to have also recently been patched.
CVE-2021-39877 – An attacker can cause uncontrolled resource consumption with a malicious file.
CVE-2021-39885 – Stored XSS vuln allowing for arbitrary javascript execution using malicious approval names (may only impact Enterprise Edition, according to NVD entry).
CVE-2021-39887 – Stored XSS vuln in GitLab Flavored Markdown allowing for arbitrary javascript execution
CVE-2021-22261 – Stored XSS vuln in Jira Integration for GitLab that can result in arbitrary javascript execution
Mitigations
Though the impacted versions and mitigations vary by CVE, most CVEs are resolved by upgrading to 14.1.7, 14.2.5 or 14.3.1.
Please consult the GitLab advisory and specific CVEs for more details, including impacted versions.
Resources
Security Advisory: GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7
Gitlab Release: 14.3.2 (suggests there may be regressions/issues with 14.3.1)
