John Leyden 13 January 2022 at 16:41 UTC
HackerOne bug bounty reports triaged
GitLab has pushed out a significant security release that addresses multiple flaws including an arbitrary file read issue rated as ‘critical’ and two high-impact vulnerabilities.
An update to the popular version control platform released this week tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.
Users of the DevOps platform are strongly urged to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE) in order to safeguard their environments.
The release also offers relief from seven moderate severity and two lower risk security bugs.
All three of the higher severity flaws were reported to GitLab by ethical hackers through a bug bounty program operated by HackerOne.
The Daily Swig reached out to all three security researchers for more information but we’re yet to hear anything back.
GitLab has published a security notification that summarizes the content of its security updates, but without going into great detail.
According to GitLab’s summary, the arbitrary file read vulnerability stemmed from incorrect file handling and involved the group import feature.
One of the high severity issues (tracked as CVE-2021-39946) meant it was possible to abuse the generation of HTML code related to emojis to uncover a stored XSS vulnerability in the notes feature of GitLab. “Improper neutralization of user input” was to blame for the issue, according to GitLab.
The other high severity vulnerability left GitLab instances vulnerable to a cross-site request forgery (CSRF) attack that “allows a malicious user to have their GitHub project imported on another GitLab user account”.
The root cause of the problem (CVE-2022-0154) was a lack of state parameter on GitHub import project OAuth.
The Daily Swig invited GitLab to comment on how ethical hackers had helped to identify these problems but we’re yet to hear back. We’ll update this story as and when new information comes to hand.