This release is a stable bugfix release, fixing four serious security issues. There are no other changes in this release.
Users should update their Kallithea instances as soon as possible to release 0.3.5. Users that are following the 'default' development branch (instead of official releases) should update to the latest revision.
To detect a possible breach, users should verify the permissions inside Kallithea of all existing repositories, the presence of unexpected newly created repositories and repository groups inside Kallithea, and the presence of newly created repositories on the filesystem outside of the configured Kallithea repository root.
All the security issues below were found and reported by:
Kacper Szurek (https://security.szurek.pl/).
Many thanks to Kacper for these reports.
Below a brief summary of the issues found and fixed in this release:
This vulnerability allows a normal user to modify the permissions of repositories they do not normally have access to. This allows the user to get full admin access to the repository.
Vulnerability type: incorrect access control.
CVE-SZUREK-20180606-1This vulnerability allows a normal user to access the contents of repositories they do not normally have access to.
Vulnerability type: incorrect access control.
CVE-SZUREK-20180606-2This vulnerability allows a normal user to clone a repository to a filesystem path outside the Kallithea repository root.
Vulnerability type: directory traversal
CVE-SZUREK-20180606-3This vulnerability allows a normal user to inject code into pages viewable by other users/visitors of Kallithea (XSS).
Vulnerability type: cross-site scripting (XSS)
CVE-SZUREK-20180606-4