Recently, several vulnerabilities have been found in GitLab CE/EE, some of which allow an attacker to cause a denial of service (DoS) or bypass the security policy or violate the principle of data confidentiality. Or they can indirectly inject arbitrary code remotely (XSS). The following table shows the identified and patched defects in GitLab:
| Affected versions | Vulnerability CVE |
Vulnerability description
|
Row
|
| GitLab EE/CE 8.5 and later | – | Arbitrary File Read when Moving an Issue | 1 |
| GitLab EE 11.7 and later | CVE-2020-10953 | Path Traversal in NPM Package Registry | 2 |
| ؟ | CVE-2020-10956 | SSRF on Project Import | 3 |
| ؟ | – | External Users Can Create Personal Snippet | 4 |
| GitLab EE/CE 9.0 and later | – | Triggers Decription Can be Updated by Other Maintainers in Project | 5 |
| GitLab EE/CE 8.11 and later | – | Information Disclosure on Confidential Issues Moved to Private Programs | 6 |
| ؟ | CVE-2020-10954 | Potential DoS in Repository Archive Download | 7 |
| GitLab EE/CE 8.11 and later | CVE-2020-10952 | Blocked Users Can Still Pull/Push Docker Images | 8 |
| ؟ | – | Repository Mirroring not Disabled when Feature not Activated | 9 |
| GitLab EE/CE 10.8 and later | – | Vulnerability Feedback Page Was Leaking Information on Vulnerabilities | 10 |
| ؟ | – | Stored XSS Vulnerability in Admin Feature | 11 |
| GitLab EE/CE 11.1 and later | CVE-2020-10955 | Upload Feature Allowed a User to Read Unauthorized Exported Files | 12 |
| GitLab EE/CE 11.10 and later | – | Unauthorized Users Are Able to See CI Metrics | 13 |
| GitLab EE/CE 8.17 and later | – | Last Pipeline Status of a Merge Request Leaked | 14 |
| GitLab EE/CE 8.0 and later | – | Blind SSRF on FogBugz | 15 |
| all previous versions of GitLab CE/EE | CVE-2020-9795 | Update Nokogiri dependency | به روزرسانی ها |
| all previous versions of GitLab CE/EE | CVE-2019-20454 | Update Pcre2 dependency |
Vulnerability IDs marked with – have not yet been published
Affected versions with the mark? It has not been announced yet
solution :
GitLab recently released versions 12.9.1, 12.8.8 and 12.7.8 for
- GitLab Community Edition (CE)
- GitLab Enterprise Edition (EE)
has released and asked its users to update their products to the latest versions.
Source :
Narrated by: Center Maher