Allele Security Alert
ASA-2018-00090
Identifier(s)
ASA-2018-00090, CVE-2018-20144
Title
Arbitrary file read in project import with Git LFS
Vendor(s)
GitLab
Product(s)
GitLab Community Edition
GitLab Enterprise Edition
Affected version(s)
GitLab CE/EE 11.0 and later
Fixed version(s)
GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.6RC7, 11.5.4, 11.4.11 e 11.3.13
Proof of concept
Unknown
Description
GitLab Git LFS contained a validation issue during project import which could allow an attacker to read arbitrary files on a GitLab server.
Technical details
Unknown
Credits
@nyangawa (Chaitin Tech)
Reference(s)
GitLab Critical Security Release: 11.6RC7, 11.5.4, 11.4.11, 11.3.13
https://about.gitlab.com/2018/12/13/critical-security-release-gitlab-11-dot-5-dot-4-released/
CVE-2018-20144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20144
CVE-2018-20144
https://nvd.nist.gov/vuln/detail/CVE-2018-20144
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019