Today we are releasing versions 16.6.1, 16.5.3, 16.4.3 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
Table of fixes
XSS and ReDoS in Markdown via Banzai pipeline of Jira
Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allowed attacker to execute javascript in victim's browser.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-6033.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
Members with admin_group_member custom permission can add members with higher role
An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. When a user is assigned a custom role with admin_group_member` enabled, they may be able to add a member with a higher static role than themselves to the group which may lead to privilege escalation.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1). It is now mitigated in the latest release and is assigned CVE-2023-6396.
This vulnerability was discovered internally by GitLab team member jarka.
Release Description visible in public projects despite release set as project members only through atom response
An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-3949.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
Manipulate the repository content in the UI (CVE-2023-3401 bypass)
An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-5226.
Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.
External user can abuse policy bot to gain access to internal projects
An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects.
This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-5995.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.
Client-side DOS via Mermaid Flowchart
An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4912.
Thanks toukakirishima for reporting this vulnerability through our HackerOne bug bounty program.
Developers can update pipeline schedules to use protected branches even if they don't have permission to merge
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4317.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
Users can install Composer packages from public projects even when Package registry is turned off
An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3964.
Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program.
Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches
An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted the permission through a group.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-4658.
Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.
Guest users can react (emojis) on confidential work items which they cant see in a project
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.
This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-3443.
Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.
Mattermost Security Update
Mattermost has been updated to the latest patch release to mitigate several security issues.
Update to PG 14.9 and 13.12
PostgreSQL has been updated to 14.9 and 13.12 to mitigate CVE-2023-39417.
Update pcre2 to 10.42
pcre2 has been updated to version 10.42 to mitigate CVE-2022-41409.
Non Security Patches
16.6.1
- Install Gitaly dependencies for project archiving (16.6 backport)
- Fix intermittent 404 errors loading GitLab Pages
- Prefer custom sort order with search in users API
- Backport "Fix group page erroring because of nil user" to 16-6-stable-ee
- Skip encrypted settings logic for Redis when used by Mailroom
- Allow + char in abuse detection for global search
- Backport "Move unlock pipeline cron scheduler out of ee" to 16.6
- Fix bug with pages_deployments files not being deleted on disk
- Backport - Truncate verification failure message to 255
- Backport "Revert "Merge branch 'sc1-release-goredis' into 'master'""
16.5.3
- Backport 10871d71b171db38701bfefe15883b05c234ca6d to 16-5-stable
- Geo: Reduce batch size of verification state backfill
16.4.3
- Backport 10871d71b171db38701bfefe15883b05c234ca6d to 16-4-stable
- Backport to 16.4 the fix for test failure due to "not-existing.com" being registered
- Bump asdf-bootstrapped-verify version on 16.4
- Fix bulk batch export of badges and uploads
- [16.4] ci: Fix broken master by not reading GITLAB_ENV
- Fix assign security check permission checks
- For 16.4: Fix Geo verification state backfill job can exceed batch size
- Geo: Reduce batch size of verification state backfill
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
Receive Security Release Notifications
To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.