FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

GitLab -- Various security issues

Affected packages
8.0.0 <= gitlab <= 8.17.6
9.0.0 <= gitlab <= 9.0.10
9.1.0 <= gitlab <= 9.1.7
9.2.0 <= gitlab <= 9.2.7
9.3.0 <= gitlab <= 9.3.7


VuXML ID 92f4191a-6d25-11e7-93f7-d43d7e971a1b
Discovery 2017-07-20
Entry 2017-07-20
Modified 2017-08-15

GitLab reports:

Projects in subgroups authorization bypass with SQL wildcards (CVE-2017-11438)

An internal code review disclosed that by choosing a namespace with underscores an authenticated user could take advantage of a badly written SQL query to add themselves to any project inside a subgroup with permissions of their choice.
This vulnerability was caused by a SQL query that automatically adjusts project permissions but does not escape wildcards. This vulnerability was coincidentally patched when the affected code was rewritten for 9.3. Therefore, versions 9.3 and above are not vulnerable.

This issue has been assigned CVE-2017-11438.

Note: GitLab-CE+EE 8.17 is not vulnerable to this issue, however patches have been included to improve the security of the SQL queries in 8.17.7.

Symlink cleanup from a previous security release

The 9.2.5 security release contained a fix for a data corruption vulnerability involving file uploads. This fix utilized symlinks to migrate file uploads to a new directory. Due to a typo in the included migration a symlink was accidentally left behind after the migration finished. This symlink can cause problems with instance backups. A fix is included with these releases to remove the problematic symlink.

Accidental or malicious use of reserved names in group names could cause deletion of all snippet uploads

The 9.2.5 security release contained a fix for a data corruption vulnerability involving file uploads. After the release of 9.2.5 an internal code review determined that the recently introduced snippet file uploads feature was also vulnerable to file deletion. Snippet uploads have now been moved into the protected system namespace.

Project name leak on todos page

An internal code review discovered that forceful browsing could be utilized to disclose the names of private projects.

Denial of Service via regular expressions in CI process

Lukas Svoboda reported that regular expressions (regex) included with CI scripts could be utilized to perform a denial-of-service attack on GitLab instances. GitLab now uses the re2 Regex library to limit regex execution time.

Issue title leakage when external issue tracker is enabled

An internal code review determined that when an external issue tracker is configured it was possible to discover the titles of all issues in a given GitLab instance, including issues in private projects and confidential issues.


CVE Name CVE-2017-11438