We released new versions of Bitnami Gitlab 8.7.1 installers, virtual machines and cloud images that fix the security issues.
Critical Security Issue: Privilege escalation via "impersonate" featureAdded in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user.
Part of this feature was not properly secured and it was possible for any authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see the GitLab website for more details. Additional information regarding the additional changes is available in the official security advisory.
WorkaroundsIf you are unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade:
Securing via web server configuration
1. Add the following text at the end of the httpd-app.conf file of Gitlab
<LocationMatch "^/admin/users/stop_impersonation">2. Restart Apache
Deny from all
sudo /opt/bitnami/ctlscript.sh restart apache
Securing via patch
1. Create a patch file at /opt/bitnami/apps/gitlab/htdocs
diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb
index bf98af7..8790018 100644
@@ -1,4 +1,5 @@
class Admin::ImpersonationController < Admin::ApplicationController
+ before_action :render_403, only: :destroy
skip_before_action :authenticate_admin!, only: :destroy
2. Apply the path
sudo git apply -v path.diffThe following output will appear:
Checking patch app/controllers/admin/impersonation_controller.rb...
Applied patch app/controllers/admin/impersonation_controller.rb cleanly.
Recover the permissions of the modified file:
sudo chown git:git /opt/bitnami/apps/gitlab/htdocs/app/controllers/admin/impersonation_controller.rb
Verifying the workaround
- In an Incognito Window, login as an administrator
- Go to the Admin section
- Click on "Users"
- Select any user
- Click "Impersonate"
- Click on the "Stop Impersonation" icon in the upper right:
7. Verify you receive a 403 Forbidden error
Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.