Jun 30, 2022 - Nikhil George  

GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5

Learn more about GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for June.

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Table of Fixes

Title Severity
Remote Command Execution via Project Imports critical
XSS in ZenTao integration affecting self hosted instances without strict CSP high
XSS in project settings page high
Unallowed users can read unprotected CI variables high
IP allow-list bypass to access Container Registries medium
2FA status is disclosed to unauthenticated users medium
IDOR in sentry issues medium
Reporters can manage issues in error tracking medium
CI variables provided to runners outside of a group's restricted IP range medium
Regular Expression Denial of Service via malicious web server responses medium
Unauthorized read for conan repository low
Open redirect vulnerability low
Group labels are editable through subproject low
Release titles visible for any users if group milestones are associated with any project releases low
Restrict membership by email domain bypass low
Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint low

Remote Command Execution via Project Imports

A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9). It is now mitigated in the latest release and is assigned CVE-2022-2185.

Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty program.

XSS in ZenTao integration affecting self hosted instances without strict CSP

Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2022-2235.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

XSS in project settings page

A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N, 8.1). It is now mitigated in the latest release and is assigned CVE-2022-2230.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.

Unallowed users can read unprotected CI variables

An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5). It is now mitigated in the latest release and is assigned CVE-2022-2229.

Thanks shell3c for reporting this vulnerability through our HackerOne bug bounty program.

IP allow-list bypass to access Container Registries

Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1983.

This issue was found internally by a member of the GitLab team.

2FA status is disclosed to unauthenticated users

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-1963.

Thanks albatraoz for reporting this vulnerability through our HackerOne bug bounty program.

CI variables provided to runners outside of a group's restricted IP range

Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-2228.

This vulnerability has been discovered internally by the GitLab team

IDOR in sentry issues

An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, 5.0). It is now mitigated in the latest release and is assigned CVE-2022-2243.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Reporters can manage issues in error tracking

An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error tracking feature. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2244.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Regular Expression Denial of Service via malicious web server responses

A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1954.

Thanks afewgoats for reporting this vulnerability through our HackerOne bug bounty program.

Unauthorized read for conan repository

An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-2270.

Thanks fushbey for reporting this vulnerability through our HackerOne bug bounty program.

Open redirect vulnerability

An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows redirect users to a malicious location. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, 4.7). It is now mitigated in the latest release and is assigned CVE-2022-2250.

Thanks stealthy for reporting this vulnerability through our HackerOne bug bounty program.

Group labels are editable through subproject

An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-1999.

This vulnerability has been discovered internally by the GitLab team.

Release titles visible for any users if group milestones are associated with any project releases

An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N, 2.6). It is now mitigated in the latest release and is assigned CVE-2022-2281.

Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Restrict membership by email domain bypass

An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, 2.7). It is now mitigated in the latest release and is assigned CVE-2022-1981.

Thanks muthu_prakash for reporting this vulnerability through our HackerOne bug bounty program.

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint

Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-2227.

Thanks vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.

Update rack

The version of rack has been updated to 2.2.3.1 in order to mitigate security concerns.

Versions affected

Affects all versions of GitLab CE/EE

Updating

To update GitLab, see the update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source