12 January 2021 at 12:17 UTC
Updated: 12 January 2021 at 12:41 UTC
Details withheld on security release to offer software developers an update window
GitLab installations need to be updated following the discovery of a set of security vulnerabilities, including a critical access token theft issue.
The Git-repository manager normally issues patches for its technology on the 22nd day of the month, but broke its normal update cycle to release patches late last week.
Ad-hoc security releases for critical vulnerabilities from GitLab are part of an established process. The open source platform releases details about vulnerabilities through its issue tracker 30 days after software is patched so, for now, we only have a bare bones description of the content of GitLab’s January 7 update.
First up, insufficient validation of authentication parameters in GitLab Page for GitLab versions 11.5 onwards gives potential attackers the ability to steal a user’s API access token through GitLab Pages.
The patch update last Thursday also deals with four lesser ‘medium severity’ issues.
Firstly, there’s a vulnerability (CVE-2021-22166) that means an attacker could cause a Prometheus denial of service in GitLab 13.7 onwards by sending an HTTP request with a malformed method.
A second flaw – affecting all versions of GitLab from 12.1 onwards – means that incorrect headers within a specific project page allows an attacker to have temporary read access to a public repository even if it is restricted to members only.
The issue was discovered by security researcher Anshraj Srivastava and reported through HackerOne.
Also on the patch list is a denial-of-service issue in the NuGet API that was discovered internally by the GitLab team.
Next up is a further denial-of-service issue, this time involving package uploads. “The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string,” GitLab explained.
Updates released last week include stability and performance enhancements, some of which address issues involving earlier patches.
The patches come together in a big tent under 13.7.2, 13.6.4, and 13.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE), as explained in an advisory from GitLab.
The Daily Swig reached out to Chan for comment on the vulnerability he discovered. We’ll update this story as and when more info comes to hand.
Leom Burke, a senior web developer at PortSwigger Web Security (note: The Daily Swig’s parent company) and longstanding DevSecOps practitioner, commented: “The biggest change looks to be an issue in specific Oauth implementations which may cause some minor inconvenience to some users.
“In general, for most applications these sort of security patch releases don’t have too many issues for users unless the user is exploiting the ‘bug’ for other purposes,” he added.