GitLab Patches Critical Vulnerabilities

GitLab has pushed out a significant update that addresses multiple flaws including an arbitrary file read issue rated as ‘critical’ and two high-impact  vulnerabilities.

An update to the popular version control platform tackles a vulnerability involving XSS in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.

Users of the DevOps platform are strongly urged to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE) in order to safeguard their environments.

All three of the higher severity flaws were reported to GitLab by ethical hackers through a bug bounty  program. GitLab has published a security notification that summarizes the content of its security updates, but without going into great detail.

One of the high severity issues tracked as  CVE-2021-39946 meant it was possible to abuse the generation of HTML code related to emojis to uncover a stored XSS vulnerability in the notes feature of GitLab. “Improper neutralization of user input” was to blame for the issue.

The other high severity vulnerability left GitLab instances vulnerable to a cross-site request forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.

The root cause of the problem CVE-2022-0154 was a lack of state parameter on GitHub import project OAuth. GitLab’s security update its the latest edition of its monthly, scheduled security releases. These normally follow a week or so after updates that introduce new features.