GitLab News

GitLab Critical Security Release: 10.5.6, 10.4.6, and 10.3.9

Gitlab is an opensource software that can be installed into Contact us to find out our latest offers!

Today we are releasing versions 10.5.6, 10.4.6, and 10.3.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

SSRF in services and web hooks

There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution. This issue has been assigned CVE-2018-8801.

Thanks to @jobert from HackerOne for reporting this.

Versions Affected

  • Affects GitLab CE/EE 8.3 and up

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Gitlab Auth0 integration issue

There was an issue with the GitLab omniauth-auth0 configuration which resulted in the Auth0 integration signing in the wrong users.

Thanks to Trond Hindenes for reporting this issue.

Versions Affected

  • Affects GitLab CE 8.6 and up

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Updating

To update, check out our update page.

Gitlab is an opensource software that can be installed into Contact us to find out our latest offers!

Comments are closed.

>
%d bloggers like this: