Thursday, July 20, 2017

Security Release: GitLab 9.3.8

[Update 2017-07-21]

GitLab 9.3.8 was affected by an infinite loop bug with the mudge/re2 library. The GitLab project released GitLab 9.3.9 that solves that issue.

Bitnami GitLab 9.3.9 virtual machines and cloud images are already available in Bitnami.


The GitLab project released a new update that contains several security fixes, including an important security fix for two authorization bypass vulnerabilities (post-authentication). We recommend that all GitLab installations be upgraded to GitLab's new version (GitLab 9.3.8) immediately.

We released new versions of Bitnami GitLab 9.3.8 virtual machines and cloud images that fix the following security issues.
  • Projects in subgroups authorization bypass with SQL wildcards (CVE-2017-11438)
    • An authenticated user could take advantage of a badly written SQL query to add themselves to any project inside a subgroup. Versions from 9.0 are affected but 9.3 and above are not vulnerable, so this issue does not affect the latest versions we released in
  • Unauthorized repository access by using project mirrors and CI (GitLab EE only) (CVE-2017-11437)
    • This vulnerability affects all versions of GitLab except GitLab 9.3.8 or newer.
More information about the issue can be found in the official blog post. There is not an available workaround for these vulnerabilities at the time.  Therefore, if you are running a GitLab instance with a version prior to 9.3.8, you will need to upgrade GitLab to its latest version by following this documentation (

Do you have questions about Bitnami GitLab or the security issue? Please post to our community forum, and we will be happy to help you.