FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

GitLab -- multiple vulnerabilities

Affected packages
1.0.0 <= gitlab <= 9.3.10
9.4.0 <= gitlab <= 9.4.5
9.5.0 <= gitlab <= 9.5.3

Details

VuXML ID 6a177c87-9933-11e7-93f7-d43d7e971a1b
Discovery 2017-09-07
Entry 2017-09-14

GitLab reports:

Cross-Site Scripting (XSS) vulnerability in profile names

An external security audit performed by Madison Gurkha disclosed a Cross-Site Scripting (XSS) vulnerability in user names that could be exploited in several locations.

Open Redirect in go-get middleware

Tim Goddard via HackerOne reported that GitLab was vulnerable to an open redirect vulnerability caused when a specific flag is passed to the go-get middleware. This vulnerability could also possibly be used to conduct Cross-Site Scripting attacks.

Race condition in project uploads

Jobert Abma from HackerOne reported that GitLab was vulnerable to a race condition in project uploads. While very difficult to exploit this race condition could potentially allow an attacker to overwrite a victim's uploaded project if the attacker can guess the name of the uploaded file before it is extracted.

Cross-Site Request Forgery (CSRF) token leakage

naure via HackerOne reported that GitLab was vulnerable to CSRF token leakage via improper filtering of external URLs in relative URL creation. A specially crafted link configured in a project's environments settings could be used to steal a visiting user's CSRF token.

Potential project disclosure via project deletion bug

An internal code review discovered that removed projects were not always being deleted from the file system. This could allow an attacker who knew the full path to a previously deleted project to steal a copy of the repository. These releases prevent the leftover repository from being accessed when creating a new project. The project deletion bug will be fixed in a later release.

White-listed style attribute for table contents in MD enables UI redressing

An external security audit performed by Recurity-Labs discovered a UI redressing vulnerability in the GitLab markdown sanitization library.

DOM clobbering in sanitized MD causes errors

An external security audit performed by Recurity-Labs discovered a DOM clobbering vulnerability in the GitLab markdown sanitization library that could be used to render project pages unreadable.

Nokogiri vendored libxslt library vulnerable to potential integer overflow (CVE-2017-5029 and CVE-2016-4738)

The bundled Nokogiri library has been updated to patch an integer overflow vulnerability. Details are available in the Nokogiri issue.

Security risk in recommended Geo configuration could give all users access to all repositories

An internal code review discovered that GitLab Geo instances could be vulnerable to an attack that would allow any user on the primary Geo instance to clone any repository on a secondary Geo instance.

GitLab Pages private certificate disclosure via symlinks

An external security review conducted by Recurity-Labs discovered a vulnerability in GitLab Pages that could be used to disclose the contents of private SSL keys.

References

CVE Name CVE-2016-4738
CVE Name CVE-2017-5029
URL https://about.gitlab.com/2017/09/07/gitlab-9-dot-5-dot-4-security-release/