Details withheld on security release to offer software developers an update window
UPDATED GitLab installations need to be updated following the discovery of a set of security vulnerabilities that includes a critical access token theft issue.
First up, insufficient validation of authentication parameters in GitLab Page for GitLab versions 11.5 onwards gives potential attackers the ability to steal a user’s API access token through GitLab Pages.
The ‘high severity’ issue was reported by security researcher Ron Chan through GitLab’s HackerOne bug bounty program.
Catch up with the latest news on secure software development
The patch update last Thursday also deals with four lesser ‘medium severity’ issues.
Firstly, there’s a vulnerability (CVE-2021-22166) that means an attacker could cause a Prometheus denial of service in GitLab 13.7 onwards by sending an HTTP request with a malformed method.
A second flaw – affecting all versions of GitLab from 12.1 onwards – means that incorrect headers within a specific project page allows an attacker to have temporary read access to a public repository even if it is restricted to members only.
The issue was discovered by security researcher Anshraj Srivastava and reported through HackerOne.
Also on the patch list is a denial-of-service issue in the NuGet API that was discovered internally by the GitLab team.
Next up is a further denial-of-service issue, this time involving package uploads. “The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string,” GitLab explained.
Patch details
Updates released last week include stability and performance enhancements, some of which address issues involving earlier patches.
The patches come together in a big tent under 13.7.2, 13.6.4, and 13.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE), as explained in an advisory from GitLab.
The Daily Swig reached out to Chan for comment on the vulnerability he discovered. We’ll update this story as and when more info comes to hand.
Leom Burke, a senior web developer at PortSwigger Web Security (note: The Daily Swig’s parent company) and longstanding DevSecOps practitioner, commented: “The biggest change looks to be an issue in specific Oauth implementations which may cause some minor inconvenience to some users.
“In general, for most applications these sort of security patch releases don’t have too many issues for users unless the user is exploiting the ‘bug’ for other purposes,” he added.
This article has been updated to fix incorrect statements regarding GitLab’s monthly patch cycle. Thanks to Twitter user @dee__see for setting us straight.
RELATED GitHub offers tighter integration of security to development workflows
