GitLab官网安全更新（2023

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Table of Fixes

Title Severity

Stored-XSS with CSP-bypass in Merge requests high

ReDoS via FrontMatterFilter in any Markdown fields high

ReDoS via InlineDiffFilter in any Markdown fields high

ReDoS via DollarMathPostFilter in Markdown fields high

DoS via malicious test report artifacts medium

Restricted IP addresses can clone repositories of public projects medium

Reflected XSS in Report Abuse Functionality medium

Privilege escalation from maintainer to owner by importing members from a project medium

Bypassing tags protection in GitLab medium

Denial of Service using multiple labels with arbitrarily large descriptions medium

Ability to use an unverified email for public and commit emails medium

Open Redirection Through HTTP Response Splitting low

Disclosure of issue notes to an unauthorized user when exporting a project low

Ambiguous branch name exploitation low

Stored-XSS with CSP-bypass in Merge requests

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-2442.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.

ReDoS via FrontMatterFilter in any Markdown fields

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2199.

Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.

ReDoS via InlineDiffFilter in any Markdown fields

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2198.

Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.

ReDoS via DollarMathPostFilter in Markdown fields

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2132.

Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program.

DoS via malicious test report artifacts

A denial of service issue was discovered in GitLab CE/EE affecting all versions starting from 13.2.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2 which allows an attacker to cause high resource consumption using malicious test report artifacts. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-0121.

Thanks luryus for reporting this vulnerability through our HackerOne bug bounty program.

Restricted IP addresses can clone repositories of public projects

An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, 5.9). It is now mitigated in the latest release and is assigned CVE-2023-2589.

Thanks ali_shehab for reporting this vulnerability through our HackerOne bug bounty program.

Reflected XSS in Report Abuse Functionality

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-2015.

Thanks akadrian for reporting this vulnerability through our HackerOne bug bounty program.

Privilege escalation from maintainer to owner by importing members from a project

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-2485.

Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.

Bypassing tags protection in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-2001.

Thanks inspector-ambitious for reporting this vulnerability through our HackerOne bug bounty program.

Denial of Service using multiple labels with arbitrarily large descriptions

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-0921.

Thanks cryptopone for reporting this vulnerability through our HackerOne bug bounty program.

Ability to use an unverified email for public and commit emails

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1204.

Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program

Open Redirection Through HTTP Response Splitting

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-0508.

Thanks akadrian for reporting this vulnerability through our HackerOne bug bounty program.

Disclosure of issue notes to an unauthorized user when exporting a project

An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-1825.

This vulnerability has been discovered internally by GitLab team member.

Ambiguous branch name exploitation

An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N, 2.6). It is now mitigated in the latest release and is assigned CVE-2023-2013.

Thanks inspector-ambitious for reporting this vulnerability through our HackerOne bug bounty program.

Update Mattermost

Mattermost has been updated to version 7.9.3 in order to mitigate security issues.

Update Ncurses

Ncurses has been updated to version 6.4-20230225 in order to mitigate security issues.

Update PostgreSQL

PostgreSQL has been updated to versions 12.14 and 13.11 in order to mitigate security issues.

Non Security Patches

This security release also includes the following non-security patches.

16.0.2

Update the upgrade path for 15.11 and 16.x Introduce parallelised BitBucket Server Importer Fix Sidekiq crash when gitlab.yml contains UTF-8 characters Backport: Revert "Remove legacy project routes" Backport: Update gitlab-qa and pipeline-common versions Merge branch '344594-fix-migration' into '16-0-stable-ee' Do not run notify-package-and-test-failure on sec Add task to fix migrations for 15.11 upgrades (16.0 Stable) Cherry-pick !12222 into 16.0 stable branch Do not requeue the indexing worker if failures occur [16.0.x Backport] Stop supporting and using deprecated Gitaly configuration

15.11.7

Backport 'Remove uncessary fields from pack-objects cache key computation' to 15.11 Do not run notify-package-and-test-failure on sec Add task to fix migrations for 15.11 upgrades (15.11 Stable)

15.10.8

[15.10] Update redis-namespace dependency in MailRoom [15-10 backport] Skip weak dependencies during install on UBI

[Backport 15.10 Fix restore with azcopy](https://gitlab.com/gitlab-org/build/CNG/-/merge_requests/1404)

Backport 'fix-container-replication' into 15.10 Convert some regex to use Gitlab::UntrustedRegexp Do not run notify-package-and-test-failure on sec [15.10] Add SMTP timeout configuration options [15.10] Validate that SMTP settings do not enable both TLS and STARTTLS

Updating

To update GitLab, see the Update page.To update Gitlab Runner, see the Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page.To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.