GitLab urges users to upgrade after disclosing 13 security flaws

GitLab advises users to upgrade immediately after admitting to a series of vulnerabilities

GitLab has released three new versions, namely 11.9.12, 11.10.5, and 11.11.1, for GitLab Enterprise Edition (EE) and Community Edition (CE), to fix 13 security flaws. GitLab has advised users to upgrade as soon as possible.

The details about those vulnerabilities will be revealed in an issue tracker in about 30 days, according to GitLab.

The first flaw in the list, assigned CVE-2019-12430, is a remote command execution flaw existing in GitLab's repository download feature. It affects GitLab CE/EE version 11.11 and could allow a malicious user to run commands remotely using the repository download feature.

Computing's Cloud Excellence Awards return on the 19th September 2019, recognising the very best of cloud computing in the UK across end users, suppliers and products. Who is the Cloud Architect of the Year? What is the Best Cloud Development Platform? And who is the Cloud Entrepreneur of the Year. Entry is FREE - the deadline is Friday 28th June.

The second vulnerability, affecting GitLab CE/EE 8.13 and later, is indexed as CVE-2019-12432. GitLab says this vulnerability could allow non-member users subscribed to issue notifications to access the title of confidential issues through the unsubscription page.

The third flaw, assigned CVE-2019-12431, was found to impact GitLab CE/EE 8.13 and later and could enable restricted users to access the metadata of private milestones through the search API.

The next vulnerability, named CVE-2019-12434, affects GitLab CE/EE 10.6 and later. It could enable attackers to predict the URL slug of private projects.

The fifth vulnerability could disclose metadata of confidential issues (such as labels and status) to restricted users. This flaw impacts CE/EE 11.9 and later and is assigned CVE-2019-12429.

Next up in the list is a vulnerability that allows users to circumvent the compulsory external authentication provider sign-in restrictions. The issue affects CE/EE 6.8 and later and is assigned CVE-2019-12428.

Another flaw, indexed as CVE-2019-12433, affects CE/EE 11.7 and later. It could lead to multiple permission issues by allowing creation of internal projects in private groups.

Other vulnerabilities fixed in GitLab's latest versions are:

• Server-Side Request Forgery Through DNS Rebinding (CVE-2019-12443)
• Stored Cross-Site Scripting on Wiki Pages (CVE-2019-12444)
• Stored Cross-Site Scripting on Notes (CVE-2019-12445)
• Repository Password Disclosed on Import Error Page (CVE-2019-12446)
• Protected Branches Restriction Rules Bypass (CVE-2019-12441)
• Stored Cross-Site Scripting Vulnerability on Child Epics (CVE-2019-12442)

GitLab said that it has also upgraded Knative to version 0.5 for the GitLab 11.11, 11.10 and 11.9 packages. The new release contains several security fixes.

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast