Recently, multiple vulnerabilities were reported by Researchers in the popular DevOps platform “GitLab”. The firm confirmed the existence of these critical flaws. The company also revealed that there are three different vulnerabilities in its software.
What are these vulnerabilities?
Michael Gernoth reported the first of these, and it was named CVE ID CVE-2019-14943. This allows hackers to view their internal resources when accessing the Grafana dashboard using hard-coded credentials. This vulnerability affects GitLab CE/EE versions 12.0 and later.
The second problem is an important one, and it is caused due to “Improper parameter sanitization on Gitaly”. This vulnerability was named as CVE-2019-14944, and it could lead to numerous remote code execution and privilege escalation vulnerabilities. This flaw affects GitLab CE/EE versions 10.0 and later. The firm credited this flaw to William Bowling, and he won a bounty of $12,000, as we can see on his HackerOne account.
The last flaw, which is assigned CVE-2019-14942 affects GitLab CE/EE versions 11.5 and later. Normally people sent Authentication cookies on GitLab Pages with Access Control over HTTP. As they were not encrypted properly, this made them vulnerable to Hackers who use Man-In-The-Middle attacks.
Are These Security Vulnerabilities Patched?
GitLab announced that they had patched these security vulnerabilities before anyone could exploit these flaws. They also posted that the patched software includes GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.11.8, 12.0.6, and 12.1.6, respectively. The company also admitted that they would publicly disclose this vulnerability in public and in detail once they fix the flaw. However, users must ensure that they will update their software immediately; otherwise, they would be exposed to attacks.