GitLab Addressed Multiple Important Vulnerabilities With The Latest Releases

  •  
  •  
  •  
  • 2
  •  
  •  
  •  
    2
    Shares

GitLab has recently addressed numerous security vulnerabilities in their latest software releases. While all the flaws belonged to different categories, GitLab deemed all of them as important severity bugs. Hence, they urge users to apply the updates at their earliest.

Multiple GitLab Vulnerabilities Addressed

GitLab has addressed 17 different security vulnerabilities just recently. Some of these vulnerabilities caught GitLab’s attention through their HackerOne bug bounty program. Whereas, some came to light via their team.

The most noteworthy of these vulnerabilities includes an arbitrary file read flaw (pending CVE assignment). Reported by bug hunter  William Bowling, the flaw allowed arbitrary local file read when moving issues between projects. This vulnerability affected GitLab Enterprise Edition (EE)/ Community Edition (CE) version 8.5.

The same researcher also found another a SSRF vulnerability in the project import feature (CVE-2020-10956). GitLab hasn’t disclosed the versions affected by this flaw.

For his discovery, Bowling has won a $20,000 bounty as well.

Another important finding came from a bug bounty hacker with alias xyd (saltyyolk) of Chaitin Tech. He reported a path traversal vulnerability (CVE-2020-10953) affecting the NPM package registry. This flaw affected GitLab EE 11.7 and later versions.

Likewise, there was a flaw with Repository archives download which may lead to denial of service (CVE-2020-10954). Details regarding the versions affected by this flaw are yet to surface online.

Details regarding other security fixes are available in GitLab’s advisory.

Patches Rolled Out

For now, GitLab hasn’t revealed explicit details regarding the security vulnerabilities they addressed. Nonetheless, they even worked on and released patches for these vulnerabilities even before disclosure of details.

Consequently, they have rolled-out the versions 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). They have urged all users to upgrade to one of these patched versions immediately to stay protected. Whereas, complete disclosure of the bugs will be publicly available after 30 days.

Let us know your thoughts in the comments

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!