GitLab released a security fix release version applicable to Community Edition (CE) and Enterprise Edition (EE) of 12.6.2,12.5.6 and 12.4.7. These versions contain important security fixes, the official suggested all GitLab immediately install the upgrade to one of these versions.
Security fixes include:
- CVE-2019-20144, lack of access authentication can lead to unauthorized update / delete group members via the API.
- CVE-2019-20146, due to the lack of certain server time-consuming process parameters in the query, the query may cause some GraphQL applications pending.
- CVE-2019-20143, in some cases, unauthenticated users can access and problems milestone release.
- CVE-2019-20147, after deleting items from membership in the group, the group members have the possibility by protecting the label API (Protected Tags API) to view the project change namespace.
- CVE-2019-20145, after the merger request is locked, users will still be able to submit draft of the review and publication.
- CVE-2019-20142, when the issue and commit add comments page, a malicious user may send a special message HTTP 500 cause codes.
- CVE-2019-20148, when unauthenticated users to access the unsubscribe link, you can open a private project name under certain conditions.
-
CVE-2020-5197, under certain conditions, the user can see the name of the project set up by private notice.
For more information about the vulnerability will be approximately 30 days after the issue tracker on public view details about the update:
https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released