Debian Gitlab vulnerabilities

CVE-2023-4378 [MEDIUM] CVE-2023-4378: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a resu

CVE-2023-6386 [MEDIUM] CVE-2023-6386: gitlab - A denial of service vulnerability was identified in GitLab CE/EE, affecting all ... A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation. Scope: local sid: resolved (fixed in 16.6.7-1)

CVE-2023-6688 [MEDIUM] CVE-2023-6688: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2023-1710 [MEDIUM] CVE-2023-1710: gitlab - A sensitive information disclosure vulnerability in GitLab affecting all version... A sensitive information disclosure vulnerability in GitLab affecting all versions from 15.0 prior to 15.8.5, 15.9 prior to 15.9.4 and 15.10 prior to 15.10.1 allows an attacker to view the count of internal notes for a given issue. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-1178 [MEDIUM] CVE-2023-1178: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 bef... An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. Scope: local sid: resolved

CVE-2023-1836 [MEDIUM] CVE-2023-1836: gitlab - A cross-site scripting issue has been discovered in GitLab affecting all version... A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed under specific circumstances Scope: local sid: resolved (

CVE-2023-5825 [MEDIUM] CVE-2023-5825: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of

CVE-2023-2485 [MEDIUM] CVE-2023-2485: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of. S

CVE-2023-0632 [MEDIUM] CVE-2023-0632: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.2... An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible by using crafted payloads to search Harbor Registry. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-5226 [MEDIUM] CVE-2023-5226: gitlab - An issue has been discovered in GitLab affecting all versions before 16.4.3, all... An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI. Scope: local sid: resolved (fixed in

CVE-2023-2200 [MEDIUM] CVE-2023-2200: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field. Scope: local sid: resolved (fixed in 15.11.11+ds1-1)

CVE-2023-0756 [MEDIUM] CVE-2023-0756: gitlab - An issue has been discovered in GitLab affecting all versions before 15.9.6, all... An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitra

CVE-2023-6840 [MEDIUM] CVE-2023-6840: gitlab - An issue has been discovered in GitLab EE affecting all versions from 16.4 prior... An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR. Scope: local sid: resolved (fixed in 16.6.7-1)

CVE-2023-0989 [MEDIUM] CVE-2023-0989: gitlab - An information disclosure issue in GitLab CE/EE affecting all versions starting ... An information disclosure issue in GitLab CE/EE affecting all versions starting from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-4630 [MEDIUM] CVE-2023-4630: gitlab - An issue has been discovered in GitLab affecting all versions starting from 10.6... An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-1787 [MEDIUM] CVE-2023-1787: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.9... An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A search timeout could be triggered if a specific HTML payload was used in the issue description. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-5612 [MEDIUM] CVE-2023-5612: gitlab - An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.... An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled. Scope: local sid: resolved (fixed in 16.6.6-1)

CVE-2023-6682 [MEDIUM] CVE-2023-6682: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular expression DoS attack on the server. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2023-2190 [MEDIUM] CVE-2023-2190: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public. Scope: local sid: resolved (fixed in 15.11.11+ds1-1)

CVE-2023-6955 [MEDIUM] CVE-2023-6955: gitlab - A missing authorization check vulnerability exists in GitLab Remote Development ... A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. Scope: local sid: resolved (fixed in 16.6.5-3)