Debian Gitlab vulnerabilities

CVE-2023-3994 [HIGH] CVE-2023-3994: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint. Scope: local sid: resolved (

CVE-2023-6371 [HIGH] CVE-2023-6371: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.... An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2023-3424 [HIGH] CVE-2023-3424: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. Scope: local sid: resolved (fixed in 15.11.11+ds1-1)

CVE-2023-2198 [HIGH] CVE-2023-2198: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-0050 [HIGH] CVE-2023-0050: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.7... An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. Scope: local sid: resolved

CVE-2023-2132 [HIGH] CVE-2023-2132: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint. Scope: local sid: resolved (fixed

CVE-2023-3364 [HIGH] CVE-2023-3364: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint. Scope: local sid: resolved (fixed i

CVE-2023-5207 [HIGH] CVE-2023-5207: gitlab - A vulnerability was discovered in GitLab CE and EE affecting all versions starti... A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-2199 [HIGH] CVE-2023-2199: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-5356 [HIGH] CVE-2023-5356: gitlab - Incorrect authorization checks in GitLab CE/EE from all versions starting from 8... Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user. Scope: local sid: resolved (fixed in 16.6.5-3)

CVE-2023-6033 [HIGH] CVE-2023-6033: gitlab - Improper neutralization of input in Jira integration configuration in GitLab CE/... Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allows attacker to execute javascript in victim's browser. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-3399 [HIGH] CVE-2023-3399: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-2442 [HIGH] CVE-2023-2442: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-4812 [HIGH] CVE-2023-4812: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request. Scope: local sid: resolved (fixed in 16.6.5-3)

CVE-2023-0485 [MEDIUM] CVE-2023-0485: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.1... An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role to read project updates by doing a diff with a pre-existing fork. Scope: local sid: resolved (fixed in 15.10.8+ds1-

CVE-2023-4522 [MEDIUM] CVE-2023-4522: gitlab - An issue has been discovered in GitLab affecting all versions before 16.2.0. Com... An issue has been discovered in GitLab affecting all versions before 16.2.0. Committing directories containing LF character results in 500 errors when viewing the commit. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-0042 [MEDIUM] CVE-2023-0042: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-2181 [MEDIUM] CVE-2023-2181: gitlab - An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.... An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-3441 [MEDIUM] CVE-2023-3441: gitlab - An issue has been discovered in GitLab EE/CE affecting all versions starting fro... An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches. Scope: local sid: resolved (fixed in 16.4.4+ds2-1)

CVE-2023-4018 [MEDIUM] CVE-2023-4018: gitlab - An issue has been discovered in GitLab affecting all versions starting from 16.2... An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)