A gitlab security update has been released for Arch Linux.

ASA-202106-21: gitlab: multiple issues

Arch Linux Security Advisory ASA-202106-21
==========================================

Severity: High
Date : 2021-06-09
CVE-ID : CVE-2021-22181 CVE-2021-22213 CVE-2021-22214 CVE-2021-22216
CVE-2021-22217 CVE-2021-22218 CVE-2021-22219 CVE-2021-22220
CVE-2021-22221
Package : gitlab
Type : multiple issues
Remote : Yes
Link :   https://security.archlinux.org/AVG-2023

Summary
=======

The package gitlab before version 13.12.2-1 is vulnerable to multiple
issues including denial of service, information disclosure, access
restriction bypass, authentication bypass, cross-site scripting and
content spoofing.

Resolution
==========

Upgrade to 13.12.2-1.

# pacman -Syu "gitlab>=13.12.2-1"

The problems have been fixed upstream in version 13.12.2.

Workaround
==========

None.

Description
===========

- CVE-2021-22181 (denial of service)

A denial of service vulnerability in GitLab CE/EE affecting all
versions since 11.8 before 13.12.2 allows an attacker to create a
recursive pipeline relationship and exhaust resources.

- CVE-2021-22213 (information disclosure)

A cross-site leak vulnerability in the OAuth flow of all versions of
GitLab CE/EE since 7.10 before 13.12.2 allowed an attacker to leak an
OAuth access token by getting the victim to visit a malicious page with
Safari.

- CVE-2021-22214 (access restriction bypass)

When requests to the internal network for webhooks are enabled, a
server-side request forgery vulnerability in GitLab CE/EE affecting all
versions starting from 10.5 before 13.12.2 was possible to exploit for
an unauthenticated attacker even on a GitLab instance where
registration is limited.

- CVE-2021-22216 (denial of service)

A denial of service vulnerability in all versions of GitLab CE/EE
before 13.12.2 allows an attacker to cause uncontrolled resource
consumption with a very long issue or merge request description.

- CVE-2021-22217 (denial of service)

A denial of service vulnerability in all versions of GitLab CE/EE
before 13.12.2 allows an attacker to cause uncontrolled resource
consumption with a specially crafted issue or merge request.

- CVE-2021-22218 (content spoofing)

All versions of GitLab CE/EE starting with 12.8 before 13.12.2 were
affected by an issue in the handling of x509 certificates that could be
used to spoof author of signed commits.

- CVE-2021-22219 (information disclosure)

GitLab CE/EE since version 9.5 before 13.12.2 allows a high privilege
user to obtain sensitive information from log files because the
sensitive information was not correctly registered for log masking.

- CVE-2021-22220 (cross-site scripting)

An issue has been discovered in GitLab affecting all versions starting
with 13.10 before 13.12.2. GitLab was vulnerable to a stored cross-site
scripting (XSS) attack in the blob viewer of notebooks.

- CVE-2021-22221 (authentication bypass)

An issue has been discovered in GitLab affecting all versions starting
from 12.9.0 before 13.12.2. Insufficient expired password validation in
various operations allowed users to maintain limited access after their
password expired.

Impact
======

A remote attacker could disclose sensitive information, bypass
authentication, execute JavaScript code using cross-site scripting,
spoof content or crash the GitLab server.

References
==========

  https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/
  https://gitlab.com/gitlab-org/gitlab/-/issues/300308
  https://hackerone.com/reports/1089277
  https://gitlab.com/gitlab-org/gitlab/-/issues/322926
  https://hackerone.com/reports/1110131
  https://gitlab.com/gitlab-org/gitlab/-/issues/329890
  https://gitlab.com/gitlab-org/gitlab/-/issues/300709
  https://hackerone.com/reports/1090049
  https://gitlab.com/gitlab-org/gitlab/-/issues/297665
  https://hackerone.com/reports/1077019
  https://gitlab.com/gitlab-org/gitlab/-/issues/296995
  https://gitlab.com/gitlab-org/gitlab/-/issues/294128
  https://hackerone.com/reports/1060114
  https://gitlab.com/gitlab-org/gitlab/-/issues/292006
  https://security.archlinux.org/CVE-2021-22181
  https://security.archlinux.org/CVE-2021-22213
  https://security.archlinux.org/CVE-2021-22214
  https://security.archlinux.org/CVE-2021-22216
  https://security.archlinux.org/CVE-2021-22217
  https://security.archlinux.org/CVE-2021-22218
  https://security.archlinux.org/CVE-2021-22219
  https://security.archlinux.org/CVE-2021-22220
  https://security.archlinux.org/CVE-2021-22221