Initiatives for
    
    As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
      
     
                  Reference:
Advisory #2023-25
Version:
1.0
Affected software:
GitLab Community Edition
GitLab Enterprise Edition
Type:
Several vulnerabilities, including XSS leading to arbitrary actions
CVE/CVSS:
CVE-2023-0050: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2022-4289: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE-2022-4331: 5.7 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N)
CVE-2023-0483: 5.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
CVE-2022-4007: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVE-2022-3758  5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVE-2023-0223: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVE-2022-4462:5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
CVE-2023-1072: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVE-2022-3381: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE-2023-1084: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
Official manufacturer: https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released/
CVE-2023-0050: A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
CVE-2022-4289: Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users.
CVE-2022-4331: If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group.
CVE-2023-0483: It was possible for a project maintainer to extract a Datadog integration API key by modifying the site.
CVE-2022-4007: A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side.
CVE-2022-3758: Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet.
CVE-2023-0223: Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings.
CVE-2022-4462: This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response.
CVE-2023-1072: It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details.
CVE-2022-3381: A crafted URL could be used to redirect users to arbitrary sites.
CVE-2023-1084: A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request.
11 vulnerabilities exist in GitLab Community Edition and Enterprise Edition before versions 15.9.2, 15.8.4 and 15.7.8.
The CCB strongly recommend that all installations running a version affected by the issues described above are upgraded to the latest version as soon as possible.
GitLab.com: https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released/