Details withheld on security release to supply software developers an update window
UPDATED GitLab installations got to be updated following the invention of a group of security vulnerabilities, including a critical access token theft issue.
First up, insufficient validation of authentication parameters in GitLab Page for GitLab versions 11.5 onwards gives potential attackers the power to steal a user’s API access token through GitLab Pages.
The ‘high severity’ issue was reported by security researcher Ron Chan through GitLab’s HackerOne bug bounty program.
The patch update last Thursday also deals with four lesser ‘medium severity’ issues.
Firstly, there’s a vulnerability (CVE-2021-22166) that means an attacker could cause a Prometheus denial of service in GitLab 13.7 onwards by sending an HTTP request with a malformed method.
A second flaw – affecting all versions of GitLab from 12.1 onwards – means incorrect headers within a selected project page allows an attacker to possess temporary read access to a public repository albeit it’s restricted to members only.
The issue was discovered by security researcher Anshraj Srivastava and reported through HackerOne.
Also on the patch list may be a denial-of-service issue within the NuGet API that was discovered internally by the GitLab team.
Next up may be a further denial-of-service issue, this point involving package uploads. “The regex used for package names is written during a way that creates execution time have quadratic growth supporting the length of the malicious input string,” GitLab explained.
Patch details
Updates released last week include stability and performance enhancements, a number of which address issues involving earlier patches.
The patches close during a big tent under 13.7.2, 13.6.4, and 13.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE), as explained in an advisory from GitLab.
The Daily Swig reached bent Chan for discuss the vulnerability he discovered. We’ll update this story as and when more info involves hand.
Leom Burke, a senior web developer at PortSwigger Web Security (note: The Daily Swig’s parent company) and longstanding DevSecOps practitioner, commented: “The biggest change looks to be an issue in specific Oauth implementations which can cause some minor inconvenience to some users.
“In general, for many applications these kind of security patch releases don’t have too many issues for users unless the user is exploiting the ‘bug’ for other purposes,” he added.
