GitLab has recently addressed numerous security vulnerabilities in their latest software releases. While all the flaws belonged to different categories, GitLab deemed all of them as important severity bugs. Hence, they urge users to apply the updates at their earliest.
Multiple GitLab Vulnerabilities Addressed
GitLab has addressed 17 different security vulnerabilities just recently. Some of these vulnerabilities caught GitLab’s attention through their HackerOne bug bounty program. Whereas, some came to light via their team.
The most noteworthy of these vulnerabilities includes an arbitrary file read flaw (pending CVE assignment). Reported by bug hunter William Bowling, the flaw allowed arbitrary local file read when moving issues between projects. This vulnerability affected GitLab Enterprise Edition (EE)/ Community Edition (CE) version 8.5.
The same researcher also found another a SSRF vulnerability in the project import feature (CVE-2020-10956). GitLab hasn’t disclosed the versions affected by this flaw.
For his discovery, Bowling has won a $20,000 bounty as well.
Another important finding came from a bug bounty hacker with alias xyd (saltyyolk) of Chaitin Tech. He reported a path traversal vulnerability (CVE-2020-10953) affecting the NPM package registry. This flaw affected GitLab EE 11.7 and later versions.
Likewise, there was a flaw with Repository archives download which may lead to denial of service (CVE-2020-10954). Details regarding the versions affected by this flaw are yet to surface online.
Details regarding other security fixes are available in GitLab’s advisory.
Patches Rolled Out
For now, GitLab hasn’t revealed explicit details regarding the security vulnerabilities they addressed. Nonetheless, they even worked on and released patches for these vulnerabilities even before disclosure of details.
Consequently, they have rolled-out the versions 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). They have urged all users to upgrade to one of these patched versions immediately to stay protected. Whereas, complete disclosure of the bugs will be publicly available after 30 days.
Let us know your thoughts in the comments