GitLab Security Release: 16.6.1, 16.5.3, 16.4.3

GitLab Security Advisory

Today we are releasing versions 16.6.1, 16.5.3, 16.4.3 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to
one of these versions immediately. GitLab.com is already running the patched version.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases:
a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month),
and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ.
You can see all of our regular and security release blog posts here.
In addition, the issues detailing each vulnerability are made public on our
issue tracker
30 days after the release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to
the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers
upgrade to the latest security release for their supported version. You can read more
best practices in securing your GitLab instance in our blog post.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Table of fixes

TitleSeverity
XSS and ReDoS in Markdown via Banzai pipeline of JiraHigh
Members with admin_group_member custom permission can add members with higher roleHigh
Release Description visible in public projects despite release set as project members only through atom responseMedium
Manipulate the repository content in the UI (CVE-2023-3401 bypass)Medium
External user can abuse policy bot to gain access to internal projectsMedium
Client-side DOS via Mermaid FlowchartMedium
Developers can update pipeline schedules to use protected branches even if they don’t have permission to mergeMedium
Users can install Composer packages from public projects even when Package registry is turned offMedium
Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branchesLow
Guest users can react (emojis) on confidential work items which they cant see in a projectLow

XSS and ReDoS in Markdown via Banzai pipeline of Jira

Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allowed attacker to execute javascript in victim’s browser.

This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2023-6033.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.

Members with admin_group_member custom permission can add members with higher role

An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.5.3,
all versions starting from 16.6 before 16.6.1. When a user is assigned a custom role with admin_group_member` enabled, they may be able to add a member with a higher static role than themselves to the group which may lead to privilege escalation.

This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1).
It is now mitigated in the latest release and is assigned CVE-2023-6396.

This vulnerability was discovered internally by GitLab team member jarka.

Release Description visible in public projects despite release set as project members only through atom response

An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1.
It was possible for unauthorized users to view a public projects’ release descriptions via an atom endpoint when release access on the public was set to only project members

This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3).
It is now mitigated in the latest release and is assigned CVE-2023-3949.

Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Manipulate the repository content in the UI (CVE-2023-3401 bypass)

An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.

This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8).
It is now mitigated in the latest release and is assigned CVE-2023-5226.

Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.

External user can abuse policy bot to gain access to internal projects

An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects.

This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-5995.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

Client-side DOS via Mermaid Flowchart

An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.

This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-4912.

Thanks toukakirishima for reporting this vulnerability through our HackerOne bug bounty program.

Developers can update pipeline schedules to use protected branches even if they don’t have permission to merge

An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.

This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-4317.

Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.

Users can install Composer packages from public projects even when Package registry is turned off

An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.

This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-3964.

Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted the permission through a group.

This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2023-4658.

Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.

Guest users can react (emojis) on confidential work items which they cant see in a project

An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.

This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1).
It is now mitigated in the latest release and is assigned CVE-2023-3443.

Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.

Mattermost Security Update

Mattermost has been updated to the latest patch release to mitigate several security issues.

Update to PG 14.9 and 13.12

PostgreSQL has been updated to 14.9 and 13.12 to mitigate CVE-2023-39417.

Update pcre2 to 10.42

pcre2 has been updated to version 10.42 to mitigate CVE-2022-41409.

Non Security Patches

16.6.1

16.5.3

16.4.3

Updating

To update GitLab, see the Update page.
To update Gitlab Runner, see the Updating the Runner page.

Receive Security Release Notifications

To receive security release blog notifications delivered to your inbox, visit our contact us page.
To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.

READ MORE