to a GitLab installation via a publicly accessible URL. This could lead to information disclosure or, in certain circumstances, the execution of code. This issue has been assigned the CVE identifier CVE-2018-1087 and has been publicly disclosed. Improper control of a resource identifier in Error Tracking in GitLab affecting all versions prior to 13.5 allows an attacker to inject arbitrary JavaScript code into a user’s session. Such code could be executed in the context of another user. This issue has been assigned the CVE identifier CVE-2018-8777 and has been publicly disclosed. Improper control of a resource identifier in Error Tracking in GitLab affecting all versions prior to 13.5 allows an attacker to craft a request which would change the state of an object in an application. This issue has been assigned the CVE identifier CVE-2018-8776 and has been publicly disclosed. Improper control of a resource identifier in Error Tracking in GitLab affecting all versions prior to 13.5 allows an attacker to generate content which could cause a victim to make unintended requests to a GitLab installation via a publicly accessible URL. This could lead to information disclosure or, in certain circumstances, the execution of code. This issue has been assigned the CVE identifier CVE-2018-8777 and has been publicly disclosed. Improper control of a resource identifier in Error Tracking in GitLab affecting all versions prior to 13
References
- CVE-2018-1087
- CVE-2018-8777
- CVE-2018-8776
Improvement
We have addressed the three issues above in our current 14.2 release.
The vulnerabilities were identified internally, and we immediately notified GitLab's security contacts and coordinated disclosure with other affected companies.
As always, any code changes or updates to the application should be done so only after thorough review and understanding of how it could potentially impact your application and its users. We recommend reviewing these two blog posts for more information on how this affects you: "CVE-2018-8777 - Improper control of a resource identifier in Error Tracking in GitLab affecting all versions prior to 13.5 allows an attacker to craft a request which would change the state of an object in an application." "CVE-2018-8776 - Improper control of a resource identifier in Error Tracking in GitLab affecting all versions prior to 13.5 allows an attacker to generate content which could cause a victim to make unintended requests to a GitLab installation via a publicly accessible URL."
Timeline
Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 17:09:00 UTC