By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

GitLab Security Updates Patch Dozens of Newly Disclosed Vulnerabilities

Multiple high-rated Cross-Site Scripting (XSS) vulnerabilities that allow for arbitrary JavaScript Execution are among the many vulnerabilities patched according to GitLab’s latest advisory.

Most are resolved by upgrading to versions 14.1.7, 14.2.5, or 14.3.1.  

Background

Approximately 30 vulnerabilities impacting the Git repository manager and DevOps platform GitLab have been disclosed over the last 24 hours. The majority appear to be responsible disclosures of the vulnerabilities recently discussed in this official patch advisory from the 31st of September.

It should be noted for those considering upgrading to 14.3.1 that a 14.3.2 upgrade was released the following day that “resolves an number of regressions and bugs in the 14.3 release” indicating there may be issues with the 14.3.1 version.

Vulnerabilities summary

Below is a brief summary of the 4 “high” rated vulnerabilities recorded on the National Vulnerability Database (NVD). The first 3 are mentioned in the advisory and the 4th appears to have also recently been patched.
 
CVE-2021-39877 – An attacker can cause uncontrolled resource consumption with a malicious file.
 
CVE-2021-39885 – Stored XSS vuln allowing for arbitrary javascript execution using malicious approval names (may only impact Enterprise Edition, according to NVD entry).
 
CVE-2021-39887 – Stored XSS vuln in GitLab Flavored Markdown allowing for arbitrary javascript execution
 
CVE-2021-22261 – Stored XSS vuln in Jira Integration for GitLab that can result in arbitrary javascript execution

Mitigations

Though the impacted versions and mitigations vary by CVE, most CVEs are resolved by upgrading to 14.1.7, 14.2.5 or 14.3.1.
 
Please consult the GitLab advisory and specific CVEs for more details, including impacted versions.

Resources

Security Advisory: GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7

Gitlab Release: 14.3.2 (suggests there may be regressions/issues with 14.3.1)

CVE-2021-39877 

CVE-2021-39885

CVE-2021-39887

CVE-2021-22261

Previous Post

Hikvision Cameras RCE Vulnerability Requires a Firmware Update

Next Post

Security Assessments 101