Gitlab vulnerability

Gitlab vulnerability DEFAULT

GitLab Critical Security Release: 14.0.4, 13.12.8, and 13.11.7

Today we are releasing versions 14.0.4, 13.12.8, and 13.11.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Table of Fixes

Arbitrary file read via design feature

An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.11, 13.12 and 14.0. A specially crafted design allowed attackers to read arbitrary files on the server. This is a critical severity issue (, 9.6). It is now mitigated in the latest release and is assigned CVE-2021-22234.

Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty program.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.

Sours: https://about.gitlab.com/releases/2021/07/07/critical-security-release-gitlab-14-0-4-released/

Gitlab : Security Vulnerabilities

# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail. 1 CVE-2021-399006682021-10-042021-10-13

4.0

NoneRemoteLow???PartialNoneNone Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. 2 CVE-2021-398996402021-10-042021-10-12

1.9

NoneLocalMediumNot requiredPartialNoneNone In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations. 3 CVE-2021-398962021-10-042021-10-12

5.5

NoneRemoteLow???PartialPartialNone In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues. 4 CVE-2021-398949182021-10-052021-10-12

5.5

NoneRemoteLow???PartialPartialNone In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. 5 CVE-2021-398938622021-10-052021-10-09

5.0

NoneRemoteLowNot requiredNoneNonePartial A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. 6 CVE-2021-398918632021-10-052021-10-09

4.0

NoneRemoteLow???PartialNoneNone In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. 7 CVE-2021-398897322021-10-052021-10-09

4.0

NoneRemoteLow???PartialNoneNone In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. 8 CVE-2021-39888200 +Info 2021-10-052021-10-12

4.0

NoneRemoteLow???PartialNoneNone In all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. 9 CVE-2021-3988779 Exec Code XSS 2021-10-052021-10-08

3.5

NoneRemoteMedium???NonePartialNone A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf. 10 CVE-2021-398862762021-10-052021-10-09

4.0

NoneRemoteLow???PartialNoneNone Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references. 11 CVE-2021-3988579 Exec Code XSS 2021-10-042021-10-12

3.5

NoneRemoteMedium???NonePartialNone A Stored XSS in merge request creation page in Gitlab EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names 12 CVE-2021-398846682021-10-052021-10-12

4.0

NoneRemoteLow???PartialNoneNone In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. 13 CVE-2021-398838632021-10-042021-10-12

4.0

NoneRemoteLow???PartialNoneNone Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups. 14 CVE-2021-398823192021-10-052021-10-12

5.0

NoneRemoteLowNot requiredPartialNoneNone In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. 15 CVE-2021-398812021-10-052021-10-09

3.5

NoneRemoteMedium???NonePartialNone In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description. 16 CVE-2021-39880 DoS 2021-10-052021-10-09

4.0

NoneRemoteLow???NoneNonePartial A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE version 11.11 and above allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware. 17 CVE-2021-398793062021-10-042021-10-12

4.0

NoneRemoteLow???NonePartialNone Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication 18 CVE-2021-3987879 Exec Code XSS 2021-10-052021-10-12

3.5

NoneRemoteMedium???NonePartialNone A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. 19 CVE-2021-398774002021-10-042021-10-12

4.3

NoneRemoteMediumNot requiredNoneNonePartial A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. 20 CVE-2021-39875200 +Info 2021-10-052021-10-12

5.0

NoneRemoteLowNot requiredPartialNoneNone In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. 21 CVE-2021-398742021-10-042021-10-12

4.0

NoneRemoteLow???NonePartialNone In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands. 22 CVE-2021-398732021-10-042021-10-12

4.3

NoneRemoteMediumNot requiredNonePartialNone In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response. 23 CVE-2021-398722872021-10-052021-10-12

4.0

NoneRemoteLow???PartialNoneNone In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. 24 CVE-2021-39871 Bypass 2021-10-042021-10-12

4.0

NoneRemoteLow???NonePartialNone In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call. 25 CVE-2021-39870 Bypass 2021-10-052021-10-09

4.0

NoneRemoteLow???NonePartialNone In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call. 26 CVE-2021-39869200 +Info 2021-10-052021-10-12

4.3

NoneRemoteMediumNot requiredPartialNoneNone In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. 27 CVE-2021-398687322021-10-042021-10-12

4.0

NoneRemoteLow???NonePartialNone In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. 28 CVE-2021-398679182021-10-052021-10-12

5.5

NoneRemoteLow???PartialPartialNone In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. 29 CVE-2021-398666682021-10-052021-10-12

5.5

NoneRemoteLow???PartialPartialNone A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. 30 CVE-2021-328234002021-06-242021-06-30

4.3

NoneRemoteMediumNot requiredNoneNonePartial In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers. 31 CVE-2021-222642021-10-052021-10-09

4.3

NoneRemoteMediumNot requiredPartialNoneNone An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted. 32 CVE-2021-222628632021-10-052021-10-09

5.0

NoneRemoteLowNot requiredNonePartialNone Missing access control in GitLab version 13.10 and above with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page 33 CVE-2021-2226179 Exec Code XSS 2021-10-052021-10-08

3.5

NoneRemoteMedium???NonePartialNone A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses 34 CVE-2021-222592021-10-042021-10-08

4.0

NoneRemoteLow???NoneNonePartial A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API. 35 CVE-2021-222582021-10-052021-10-09

4.0

NoneRemoteLow???PartialNoneNone The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses 36 CVE-2021-222572021-10-052021-10-09

5.0

NoneRemoteLowNot requiredPartialNoneNone An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances. 37 CVE-2021-222568632021-08-252021-08-31

5.5

NoneRemoteLow???PartialPartialNone Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status 38 CVE-2021-222541162021-08-202021-08-26

3.5

NoneRemoteMedium???PartialNoneNone Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. 39 CVE-2021-222538632021-08-232021-08-30

4.9

NoneRemoteMedium???NonePartialPartial Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed 40 CVE-2021-222526682021-08-232021-08-30

4.0

NoneRemoteLow???PartialNoneNone A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers 41 CVE-2021-222518632021-08-232021-08-28

4.0

NoneRemoteLow???NonePartialNone Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings 42 CVE-2021-222508632021-08-252021-08-31

5.5

NoneRemoteLow???PartialPartialNone Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account 43 CVE-2021-222492092021-08-232021-08-28

4.0

NoneRemoteLow???PartialNoneNone A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group 44 CVE-2021-222488632021-08-232021-08-28

5.0

NoneRemoteLowNot requiredPartialNoneNone Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only 45 CVE-2021-222478632021-08-252021-08-31

4.0

NoneRemoteLow???PartialNoneNone Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics 46 CVE-2021-22246770 DoS 2021-08-202021-08-26

4.0

NoneRemoteLow???NoneNonePartial A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks. 47 CVE-2021-22245202021-08-252021-08-31

4.0

NoneRemoteLow???NoneNonePartial Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view 48 CVE-2021-222448632021-08-252021-08-31

4.0

NoneRemoteLow???PartialNoneNone Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data 49 CVE-2021-222438632021-08-252021-08-31

4.0

NoneRemoteLow???PartialNoneNone Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group. 50 CVE-2021-2224279 XSS 2021-08-252021-08-31

3.5

NoneRemoteMedium???NonePartialNone Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
Sours: https://www.cvedetails.com/vulnerability-list/vendor_id-13074/Gitlab.html
  1. Anxiety cleaning meme
  2. Md pua login
  3. Zillow burleson county tx
  4. 2k patch notes

GitLab Security Release: 14.1.2, 14.0.7, and 13.12.9

Today we are releasing versions 14.1.2, 14.0.7, and 13.12.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

Table of Fixes

Stored XSS in Mermaid when viewing Markdown files

Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown. This is a high severity issue (, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-22242.

Thanks @saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.

Note

Users will no longer be able to configure setting in Mermaid charts.

Stored XSS in default branch name

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name. This is a high severity issue (, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-22241.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Perform Git actions with an impersonation token even if impersonation is disabled

Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2. This is a medium severity issue (, 6.6). It is now mitigated in the latest release and is assigned CVE-2021-22237.

GitLab would like to thank a customer who reported this issue.

Tag and branch name confusion allows Developer to access protected CI variables

A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers. This is a medium severity issue (, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-22252.

Thanks @rodrigopetter for reporting this vulnerability through our HackerOne bug bounty program.

New subscriptions generate OAuth tokens on an incorrect OAuth client application

Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1. This is a medium severity issue (, 5.5). It is now mitigated in the latest release and is assigned CVE-2021-22236.

This vulnerability was found internally by the GitLab team.

Ability to list and delete impersonation tokens for your own user

Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrations created for their account. This is a medium severity issue (, 5.4). It is now mitigated in the latest release and is assigned CVE-2021-22250.

Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program.

Pipelines page is partially visible for users that have no right to see CI/CD

Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only. This is a medium severity issue (, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-22248.

This vulnerability has been discovered internally by the GitLab team.

Improper email validation on an invite URL

Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group. This is a medium severity issue (, 5.0). It is now mitigated in the latest release and is assigned CVE-2021-22243.

This vulnerability was found internally by the GitLab team.

Unauthorised user was able to add meta data upon issue creation

An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later. This is a medium severity issue (, 5.0). It is now mitigated in the latest release and is assigned CVE-2021-22239.

This vulnerability has been discovered internally by the GitLab team.

Unauthorized user can trigger deployment to a protected environment

Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed. This is a medium severity issue (, 4.9). It is now mitigated in the latest release and is assigned CVE-2021-22253.

Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.

Guest in private project can see CI/CD Analytics

Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22247.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Guest users can create issues for Sentry errors and track their status

Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22256.

Thanks @maruthi12 for reporting this vulnerability through our HackerOne bug bounty program.

Private user email disclosure via group invitation

A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22249.

Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program.

Projects are allowed to add members with email address domain that should be blocked by group settings

Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22251.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Misleading username could lead to impersonation in using SSH Certificates

Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. This is a low severity issue (, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-22254.

Thanks ledz1996 for reporting this vulnerability through our HackerOne bug bounty program.

Unauthorized user is able to access and view project vulnerability reports

Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data. This is a low severity issue (, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-22244.

Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.

Denial of service in repository caused by malformed commit author

Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view. This is a low severity issue (, 2.7). It is now mitigated in the latest release and is assigned CVE-2021-22245.

Thanks @stanlyoncm for reporting this vulnerability through our HackerOne bug bounty program.

Update Mattermost

Mattermost has been upgraded to 5.35.4 in order to mitigate security concerns.

Versions affected

Affects GitLab Omnibus versions 13.10 and later

Update oauth ruby gem

The oauth ruby gem has been upgraded to 0.5.6 in order to mitigate security concerns.

Versions affected

Affects versions 10.6 and later

Update libgcrypt

libgcrypt has been upgraded to 1.9.3 in order to mitigate security concerns.

Versions affected

Affects all previous versions of GitLab Omnibus

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.

Sours: https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/
Scanning Containers for Vulnerabilities with GitLab (DevSecOps)

GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7

Today we are releasing versions 14.3.1, 14.2.5, and 14.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

Table of Fixes

Stored XSS in merge request creation page

A Stored XSS in merge request creation page in Gitlab EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names. This is a high severity issue (, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-39885.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Denial-of-service attack in Markdown parser

A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. This is a high severity issue (, 7.7). It is now mitigated in the latest release and is assigned CVE-2021-39877.

Thanks phill for reporting this vulnerability through our HackerOne bug bounty program.

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (, 7.3). It is now mitigated in the latest release and is assigned CVE-2021-39887.

Thanks saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.

DNS Rebinding vulnerability in Gitea importer

In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. This is a medium severity issue (, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39867.

This issue was found internally by a member of the GitLab team.

Exposure of trigger tokens on project exports

In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. This is a medium severity issue (, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39869.

Thanks @mishre for reporting this vulnerability through our HackerOne bug bounty program.

Improper access control for users with expired password

In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. This is a medium severity issue (, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39872.

Thanks @joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Access tokens are not cleared after impersonation

In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. This is a medium severity issue (, 5.9). It is now mitigated in the latest release and is assigned CVE-2021-39891.

This vulnerability was found internally by a member of the GitLab team.

Reflected Cross-Site Scripting in Jira Integration

A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. This is a medium severity issue (, 5.8). It is now mitigated in the latest release and is assigned CVE-2021-39878.

Thanks ooooooo_q for reporting this vulnerability through our HackerOne bug bounty program.

DNS Rebinding vulnerability in Fogbugz importer

In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. This is a medium severity issue (, 5.4). It is now mitigated in the latest release and is assigned CVE-2021-39894.

This vulnerability was discovered internally by the GitLab team.

Access tokens persist after project deletion

A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. This is a medium severity issue (, 5.4). It is now mitigated in the latest release and is assigned CVE-2021-39866.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

User enumeration vulnerability

In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. This is a medium severity issue (, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39882.

This issue was found internally by a member of the GitLab team.

Potential DOS via API requests

A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. This is a medium severity issue (, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39893.

This vulnerability has been discovered internally by the GitLab team.

Pending invitations of public groups and public projects are visible to any user

In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. This is a medium severity issue (, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39875.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Bypass Disabled Repo by URL Project Creation

In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39870.

Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.

Low privileged users can see names of the private groups shared in projects

In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39884.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

API discloses sensitive info to low privileged users

In all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39888. Thanks @0xn3va for reporting this vulnerability through our HackerOne bug bounty program.

Epic listing do not honour group memberships

Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39883.

This vulnerability has been discovered internally by the GitLab team.

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39889.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Low privileged users can import users from projects that they they are not a maintainer on

In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39892.

Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Potential DOS via dependencies API

A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22259.

This vulnerability has been discovered internally by the GitLab team.

Create a project with unlimited repository size through malicious Project Import

In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39868.

Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.

Bypass disabled Bitbucket Server import source project creation

In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39871.

This issue was discovered internally by a member of the GitLab team.

Requirement to enforce 2FA is not honored when using git commands

In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39874.

Thanks @melar_dev for reporting this vulnerability through our HackerOne bug bounty program.

Content spoofing vulnerability

In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response. This is a medium severity issue (, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39873.

Thanks @w00t1 for reporting this vulnerability through our HackerOne bug bounty program.

Improper session management in impersonation feature

In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues. This is a low severity issue (, 3.8). It is now mitigated in the latest release and is assigned CVE-2021-39896.

This vulnerability was reported to GitLab by a customer.

Create OAuth application with arbitrary scopes through content spoofing

In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description. This is a low severity issue (, 3.5). It is now mitigated in the latest release and is assigned CVE-2021-39881.

Thanks @executor for reporting this vulnerability through our HackerOne bug bounty program.

LDAP users can bypass 2FA and load certain pages with HTTP Basic Auth

It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above. This is a low severity issue (, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-39890.

This vulnerability has been discovered internally by the GitLab team.

Lack of account lockout on change password functionality

In all versions of GitLab CE/EE, an attacker with access to a user’s session may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by splitting the attack over several IP addresses. This is a low severity issue (, 2.9). It is now mitigated in the latest release and is assigned CVE-2021-39899.

This vulnerability was discovered internally by the GitLab team.

Epic reference was not updated while moved between groups

Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references. This is a low severity issue (, 2.6). It is now mitigated in the latest release and is assigned CVE-2021-39886.

This vulnerability was discovered internally by the GitLab team.

Missing authentication allows disabling of two-factor authentication

Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication. This is a low severity issue (, 2.2). It is now mitigated in the latest release and is assigned CVE-2021-39879.

This vulnerability has been discovered internally by the GitLab team.

Information disclosure in SendEntry

Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. This is a low severity issue (, 2.0). It is now mitigated in the latest release and is assigned CVE-2021-39900.

This vulnerability has been discovered internally by the GitLab team.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.

Sours: https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/

Vulnerability gitlab

GitLab Critical Security Release: 13.9.4, 13.8.6, and 13.7.9

Today we are releasing versions 13.9.4, 13.8.6, and 13.7.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Table of Fixes

Remote code execution via unsafe user-controlled markdown rendering options

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorised authenticated users to execute arbitrary code on the server. This is a critical severity issue (, 9.9). It is now mitigated in the latest release and is assigned CVE-2021-22192.

Thanks @vakzz for reporting this vulnerability through our HackerOne bug bounty program.

Remediation

We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive security release blog notifications via RSS, subscribe to our RSS feed.

Sours: https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/
How GitLab was Hacked by making random HTTP requests - SSRF

Vulnerability Management Overview

  1. You are here:
  2. Engineering
  3. Security
  4. Vulnerability Management Overview
Johnathan HuntJulia Lake

On this page

Vulnerability Management Overview

Vulnerability Management is the recurring process of identifying, classifying, prioritizing, mitigating, and remediating vulnerabilities. This overview will focus on infrastructure vulnerabilities and the operational vulnerability management process. This process is designed to provide insight into our environments, leverage GitLab for vulnerability workflows, promote healthy patch management among other preventative best-practices, and remediate risk; all with the end goal to better secure our environments.

To achieve these goals, we’ve partnered with Tenable and have deployed their software-as-a-service (SaaS) solution, Tenable.io, as our vulnerability scanner. Tenable.io allows us to focus on what is important; scanning for vulnerabilities, analyzing, and ingesting vulnerability data into GitLab as the starting point for our vulnerability management process.

The Vulnerability Management process

Arguably the most important step for a successful vulnerability management process is defining the scope that the process will cover. Security and Infrastructure partnered to come up with a scope that would make sure all of our critical environments and systems were covered during deployment. The following environments are currently for GitLab.com production:

EnvironmentProject/AccountProductionDeployed
GCPgitlab-productionyesyes
GCPgitlab-opsyesyes
GCPgs-productionyesyes
GCPenv-zeroyesyes
GCPgemnasium-productionyesyes
GCPservice-prodyesyes
GCPgitlab-cilimitedyes
AWSgitlab-comyesyes
AzureGitLabyesno
Digital Oceangitlab b.v.yesno

Note: If you believe a system you are responsible for should be included in the vulnerability management process, please contact the Security Incident Response Team.

With these environments scoped out and Tenable scanners deployed, we can begin the vulnerability management process. Keep in mind that vulnerability management is a feedback loop - vulnerability scanners provide the vulnerability data which is analyzed and ingested to mitigate and remediate found vulnerabilities. Feedback from this process feeds into preventative initiatives that further secure our environments.

Currently, we break down vulnerability management into the following steps:

1. Vulnerability Scanning

This step is where we scan resources in our environments to identify vulnerabilities. Once setup, scans run on regular cadences that meet or exceed our compliance framework requirements.

2. Reporting/Analysis

Vulnerability scan data is exported and analyzed to provide consolidated vulnerability data we can ingest into GitLab.com for vulnerability remediation tracking. This is currently a manual process where we export vulnerability data into a spreadsheet and pull out pertinent information.

Tenable also provides reporting functionality that is used by our Compliance team to run reports for audits.

Currently, we export vulnerabilities as CSV files. These exports are filtered to be specific to the project/account (for example, gitlab-production in GCP gets its own report). Once exported, we analyze and consolidate the data into different , including: unique vulnerabilities, vulnerability count, vulnerability count by asset, and vulnerability by severity. Once completed, we open a vulnerability remediation issue in the Vulnerability Management issue tracker. These issues are where all discussion and documentation for the vulnerability will occur. We also open a linked issue in Infrastructure issue tracker which is where additional remediation issues for the vulnerabilities get opened and scheduled for review and remediation.

3. Ingestion

Once the data is prepared in a format that we can pull out the most important information, we can ingest into GitLab.com. Issues are opened in the Vulnerability Management tracker to track the remediation process of the vulnerability. Another issue is opened in the Infrastructure issue trackerlinking to the vulnerability management tracker issue; these are so that the work can properly get prioritized and scheduled according to the Infrastructure team’s workflow.

Currently, we group vulnerabilities into a single remediation issue on a monthly basis as to consolidate the work required to remediate. From here, the SIRT team can work with Infra to prioritize and open additional remediation issues which are linked to the monthly remediation issue.

Vulnerability remediation issues should be tagged with the type label. These leverage GitLab's scoped label capability. The following labels exist to track the vulnerability remediation workflow:

  • : This label identifies that the vulnerability has been opened, but not validated and is considered impactful to our environments per the assigned priority label. With this label a vulnerability issue should not be closed.

  • : This label identifies that the vulnerability has been validated as legitimate and is scheduled for mitigation or remediation. With this label a vulnerability issue should not be closed.

  • : This label identifies that the vulnerability has been validated as a false positive and is no longer impactful to our environments. With this label a vulnerability issue can be closed.

  • : This label identifies that the vulnerability has been validated as legitimate and has an approved exception issue to account for a business need. In extreme circumstances, a vulnerability issue can be closed with an exception.

  • : This label identifies that the vulnerability has been validated and triaged. The impact has been reduced through compensating controls, but not remediated (it is still actively identified on vulnerability scans). With this label a vulnerability issue should not be closed.

  • : This label identifies that the vulnerability has been remediated and the remediation has been validated. With this label a vulnerability issue can be closed.

We also add the label to all Vulnerability issues to scope the issues in the Vulnerability Management issue board.

4. Validation

Validation is an important part of vulnerability management. This is where we investigate to ensure that the vulnerability being reported has properly been identified.

Vulnerabilities can sometimes be identified during a scan, but are not actually on the system. This can happen for a number of reasons, but most commonly is the result of misflagged ports or services. These are classified as false positives and would go through the process to be closed as a false positive.

5. Remediation

Remediation is the part of the process in which a validated vulnerability is fixed. The remediation process would be tracked in the corresponding vulnerability issue in the Vulnerability Management issue tracker. SLAs are in place to help prioritize vulnerability based on severity. Once a vulnerability is remediated, we will run followup scans on the impacted systems to validate that the vulnerability is indeed remediated.

We've implementing an escalation path for remediation issues in the Infrastructure issue tracker that automatically tags the VM DRI and backup when remediation issues are approaching/past SLAs.

For improved tracking of remediation issues, we are using GitLab Epics. The remediation epic includes monthly subepics that track remediation progress for that month. If remediation SLAs do not require a vulnerability to be remediated in a month, it will be rolled over into the following subepic until remediated or its due date passes.

Vulnerability Issue Workflows

There are several ways a vulnerability issue can be closed - below are some common vulnerability workflows using the labels as reference:

Closed as Remediated

The most common workflow is to close a vulnerability issue as . This means that a vulnerability has been validated and remediation has taken place. Below is the workflow:

graph TB SubGraph1 --> Node2 subgraph "Vulnerability Issue Status: Closed" Node2(Vulnerability:Remediated) end subgraph "Vulnerability Issue Status: Open" Node1[Vulnerability:Vulnerable] --> SubGraph1[Vulnerability:Validated] end
Closed as False Positive

A vulnerability must always be validated - but sometimes the validation can prove that a vulnerability is a false positive. Below is the workflow:

graph TB SubGraph1 --> Node2 subgraph "Vulnerability Issue Status: Closed" Node2(Vulnerability:FalsePositive) end subgraph "Vulnerability Issue Status: Open" Node1[Vulnerability:Vulnerable] --> SubGraph1[Vulnerability:Validated] end
Closed as Exception

Sometimes issues arise that would otherwise prevent a vulnerability from being remediated or mitigated. While commonly, these would result in an open vulnerability issue status, there are unique cases where an issue can be closed as an exception. Below is the workflow:

graph TB SubGraph1 --> Node2 subgraph "Vulnerability Issue Status: Closed" Node2(Vulnerability:Exception) end subgraph "Vulnerability Issue Status: Open" Node1[Vulnerability:Vulnerable] --> SubGraph1[Vulnerability:Validated] end
Open as Exception

Closed issue via the process are very rare. Generally, an exception is a non-permanent way to assume risk on a vulnerability due to extenuating circumstances in which remediation can not take place within the required SLAs. Below is the described the workflow:

graph TB SubGraph1 --> Node3 subgraph "Vulnerability Issue Status: Closed" Node3(Vulnerability:Remediated) end subgraph "Vulnerability Issue Status: Open" Node1[Vulnerability:Vulnerable] --> Node2(Vulnerability:Validated) --> SubGraph1[Vulnerability:Exception] end
Open as Mitigated

Another common workflow is when a vulnerability is validated and a fix is scheduled for some time in the future (within the SLA). If we're able to, we will put mitigation in place in the interim to reduce the risk from the vulnerability. Below is the described workflow:

graph TB SubGraph1 --> Node3 subgraph "Vulnerability Issue Status: Closed" Node3(Vulnerability:Remediated) end subgraph "Vulnerability Issue Status: Open" Node1[Vulnerability:Vulnerable] --> Node2(Vulnerability:Validated) --> SubGraph1[Vulnerability:Mitigated] end

6. Feedback

The last step is for the Security Incident Response Team and Infrastructure to determine what we can learn from each vulnerability remediated. This may be an improvement on the vulnerability management process itself or establishing preventive mechanisms for a repetitive vulnerability type. This feedback will be documented in the vulnerability issue and could result in additional issues being opened.

As stated above, this process is a cyclical loop. Vulnerability scans are recurring, providing new vulnerability data that feed new vulnerability remediation and exception issues which then help update/escalate open issues/processes.

Remediation SLAs

Security and Infrastructure have come up with remediated SLAs based on a multitude of factors, such as severity, scope, impact, etc. All of these factors will be considered when mapping the priority to GitLab’s priority labels. The SLAs are as follows:

PrioritySeverity MappingTime to mitigateTime to remediate
severity::1/priority::1Zero-dayWithin 24 hoursWithin 72 hours (when technically feasible)
severity::2/priority::2CriticalN/AWithin 30 days
severity::3/priority::3HighN/AWithin 60 days
severity::4/priority::4MediumN/AWithin 90 days
severity::4/priority::4LowN/ABest effort.

severity::1/priority::1 vulnerabilities discovered in scans would be worked on immediately through the incident management process and adhere to any timelines determined as such. This includes a 15-minute engagement, 24-hour mitigation, and 72-hour remediation SLA (from time of reporting).

Note: Mitigation SLAs only apply to severity::1/priority::1 vulnerabilities. These types of vulnerabilities often coincide with broad industry-impacting zero-day vulnerabilities and in the event of these types of events the 72 hour target would be impossible to meet or exceed. These exceptions will be documented and noted as they occur.

Exception process

We understand that it is not always technologically feasible to keep all packages up-to-date due to application conflicts, or that a business decision may be made to not remediate a vulnerability because remediation would impact performance too greatly. Low risk vulnerabilities that may not get prioritized within the remediation SLAs should have an exception approved for them, documenting the low likelihood of exploit due to layered security, other compensating controls, mean of exploitation, etc.

With this in mind we have a vulnerability exception process; If you've identified a vulnerability that is a candidate for an exception, please open a vulnerability exception issue in the vulnerability management issue tracker.

Please fill all out the pertinent information requested in the template. For reference, the information required is as follows:

  • Vulnerability title
  • Tenable plugin-ID
  • Priority/Severity of Vulnerability
  • Original remediation issue due date
  • Length of requested exception
  • List of applicable hosts

You will also need to describe the business need for the exception, document any existing/implemented compensating controls, and link any ongoing remediation efforts.

Exception length restrictions

We currently allow exception lengths based on priority/severity as follows:

P/S30-days60-days90-days365-days
priority::1/severity::1
priority::2/severity::2
priority::3/severity::3
priority::4/severity::4
Exception approval matrix

After the issue is open, the requestor should assign the due date to match that of the associated remediation issue and assign to the proper approver. The severity and priority of the vulnerability will dictate the approval process. This is documented below:

P/SApprover
priority::1/severity::1VP of Security or Infrastructure
priority::2/severity::2Director of Security Operations
priority::3/severity::3Security Manager, Security Incident Response Team
priority::4/severity::4Security Engineer, Security Incident Response Team

Host Validation

To ensure we are scanning all possilbe hosts in the scoped environments, we leverage Tenable connectors. These connectors run as a service account in our environment projects/accounts and pull metadata regarding all compute assets, thus populating an up-to-date view of all the assets in our environment. These imports run on a 24-hour schedule, meaning we always have a daily view of our assets across the environments.

We setup our traditional scans using subnets that encompass all of our assets. When new subnets are setup in our environments (for example, VPC networks in GCP or AWS), part of the process of setting up that network is making sure that (if in scope) authenticated vulnerability scans are setup. If a connector import ever finds an asset outside of the subnets we are currently scanning, an investigation is launched to determine the validity of that host. These hosts would show up as validated, but unassessed. If it is a legitmate host we will add that new subnet the asset is in to our scanning schedule. While we prefer to setup the scans prior to new networks being setup, this feedback loop ensures we never miss assets when scanning.

Vulnerability Scanning Schedule

Vulnerability scans occur on a weekly basis in our scoped environments. The schedule can be seen below:

The start times are always consistent - however, scan durations may fluctuate based on a multitude of factors. Generally, the production scans complete in under 2-hours. We’ve segmented the scans to reduce impact to the environment. We’ve also enabled load throttling, so if increased load is detected on the systems/networks being scanned, Tenable will reduce its footprint to further reduce impact.

The target groups used in these scans are setup using GCP VPC network ranges to ensure any newly provisioned resources are scanned without manually inputting the resources IP into the scan. We will leverage similar functionality during our AWS and Azure deployments.

Note: for more information, please visit the channel on Slack where there are links to documentation breaking down what hosts are in what scan group.

Contact

If you have any questions or concerns related to vulnerability management please contact the Security Incident Response Team in channel on slack, by tagging in slack or in a GitLab issue, or finally you can open an issue in the Security Incident Response Team issue tracker. All work being done to improve this process is also tracked in the issue tracker.

Any questions regarding ownership around vulnerability management can be answered in GitLab’s tech stack documentation.

Sours: https://about.gitlab.com/handbook/engineering/security/vulnerability_management/

Now discussing:

I am not very complex because of the fact that no matter how I can quit smoking. - I, too, just woke up, though I have already been in the shower, my name is Maxim - he tried to. Reach out through the balcony. - Im Veronica, you can just Nika, - I held out my hand in response, a friendly handshake came true.

- Very nice Nika, how do you look at your morning coffee on the balcony.



1475 1476 1477 1478 1479