--- title: "Critical Security Release for GitLab 8.2 through 8.7" date: 2016-05-02 23:50 author: GitLab categories: releases author_twitter: gitlab --- Today we are releasing versions 8.7.1, 8.6.8, 8.5.12, 8.4.10, 8.3.9, and 8.2.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain a number of important security fixes, including one for a critical privilege escalation, and we **strongly recommend** that all GitLab installations be upgraded to one of these versions **immediately**. Please read on for more details. ## Privilege escalation via "impersonate" feature During an internal code review, we discovered a critical security flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user. A part of this feature was not properly secured and it was possible for _any_ authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see [the issue][15548] for more details. This issue has been assigned [CVE-2016-4340][CVE]. [15548]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 [CVE]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4340 ### Versions affected - 8.7.0 - 8.6.0 through 8.6.7 - 8.5.0 through 8.5.11 - 8.4.0 through 8.4.9 - 8.3.0 through 8.3.8 - 8.2.0 through 8.2.4 We **strongly recommend** that all installations running a version mentioned above be upgraded as soon as possible. ### Workarounds If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade. You only need to apply _one_ of these workarounds. Each assumes you aren't using relative URLs; if you are, adjust the path accordingly. #### Securing via Omnibus configuration For Omnibus installations using the bundled Nginx web server, edit `/etc/gitlab/gitlab.rb` and add the following line: ```ruby nginx['custom_gitlab_server_config'] = "location ^~ /admin/users/stop_impersonation { deny all; }\n" ``` Then run `sudo gitlab-ctl reconfigure` for the changes to take effect. #### Securing via web server configuration If you are using an external web server with Omnibus or have installed GitLab from source, add the following lines to your web server's configuration file. For Nginx: ```nginx location ^~ /admin/users/stop_impersonation { deny all; } ``` For Apache: ```apache Order Deny,Allow Deny from all ``` Then reload the server for changes to take effect. #### Securing via HAProxy configuration Add the following lines to your configuration and restart the service: ``` acl is_stop_impersonation path_beg /admin/users/stop_impersonation acl is_delete method DELETE http-request deny if is_delete is_stop_impersonation ``` #### Securing via patch ```diff diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb index bf98af7..8790018 100644 --- a/app/controllers/admin/impersonation_controller.rb +++ b/app/controllers/admin/impersonation_controller.rb @@ -1,4 +1,5 @@ class Admin::ImpersonationController < Admin::ApplicationController + before_action :render_403, only: :destroy skip_before_action :authenticate_admin!, only: :destroy before_action :user ``` ### Verifying the workaround 1. In an Incognito Window, login as an administrator 1. Go to the Admin section 1. Click on "Users" 1. Select any user 1. Click "Impersonate" 1. Click on the "Stop Impersonation" icon in the upper right: ![Stop impersonation](/images/blogimages/stop-impersonation.png) 1. Verify you receive a `403 Forbidden` error ## Privilege escalation via notes API By sending a specially-crafted request to the GitLab API, it was possible to post notes on merge requests, snippets, and issues that the user did not have access to. See [the issue][15577] for more details. Thanks to [Jobert Abma][jobert-twitter] of [HackerOne][jobert] for responsibly disclosing this issue to us. [15577]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 ## Privilege escalation via project webhook API The project webhook API was not sufficiently secured, and made it possible for an authenticated user to read and delete webhooks from a private project. See [the issue][15576] for more details. Thanks to [Jobert Abma][jobert-twitter] of [HackerOne][jobert] for responsibly disclosing this issue to us. [15576]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 ## XSS vulnerability via branch and tag names Git branch and tag names were not being properly escaped before being displayed on certain pages. See [the issue][15434] for more details. Thanks to Teun Beijers for responsibly disclosing this issue to us. [15434]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434 ## XSS vulnerability via custom issue tracker URL Custom issue tracker service URLs were not being properly validated, making it possible to craft a specific URL that could be used in an XSS attack. See [the issue][15437] for more details. Thanks to [Jobert Abma][jobert-twitter] of [HackerOne][jobert] for responsibly disclosing this issue to us. [15437]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15437 ## XSS vulnerability via `window.opener` External links were not properly voiding the `window.opener` attribute, which could allow the external page to control the window object that opened it. See [the issue][15331] for more details. Thanks to [Anirudh Anand](https://hackerone.com/a0xnirudh) of [0daylabs](https://www.0daylabs.com) for responsibly disclosing this issue to us. [15331]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 ## XSS vulnerability via label drop-down Label names were not being properly escaped before being displayed in certain drop-downs. See [the issue][15522] for more details. Only the following versions are affected: 8.6.0 through 8.6.7, and 8.7.0. Thanks to Gearlles Ferreira for responsibly disclosing this issue to us. [15522]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15522 ## Information disclosure via milestone API Confidential issues attached to a milestone were being leaked via the milestone API. See [the issue][15579] for more details. Only the following versions are affected: 8.6.0 through 8.6.7, and 8.7.0. Thanks to [Jobert Abma][jobert-twitter] of [HackerOne][jobert] for responsibly disclosing this issue to us. [15579]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15579 ## Information disclosure via snippet API Private snippets were being exposed via the GitLab API. See [the issue][15580] for more details. Thanks to [Jobert Abma][jobert-twitter] of [HackerOne][jobert] for responsibly disclosing this issue to us. [15580]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 ## Information disclosure via project labels It was possible for an attacker to add labels from a private project to their own, possibly exposing sensitive information contained in a label's name or description. See [the issue][15439] for more details. Thanks to [Jobert Abma][jobert-twitter] of [HackerOne][jobert] for responsibly disclosing this issue to us. [15439]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 ## Information disclosure via new merge request page It was possible for an attacker to discover the namespace and name of a private project via the "new merge request" page. See [the issue][15591] for more details. Thanks to [Jobert Abma][jobert-twitter] of [HackerOne][jobert] for responsibly disclosing this issue to us. [15591]: https://gitlab.com/gitlab-org/gitlab-ce/issues/15591 ## Upgrade barometer These versions do not include any new migrations, and should not require any downtime. Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a [`/etc/gitlab/skip-auto-migrations` file](http://doc.gitlab.com/omnibus/update/README.html). ## Updating To update, check out our [update page](/update). ## Enterprise Edition Interested in GitLab Enterprise Edition? Check out the [features exclusive to EE](/features/#enterprise). Access to GitLab Enterprise Edition is included with a [subscription](/pricing/). No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services. [jobert-twitter]: https://twitter.com/jobertabma [jobert]: https://hackerone.com/jobert