Debian Gitlab vulnerabilities

CVE-2023-1733 [MEDIUM] CVE-2023-1733: gitlab - A denial of service condition exists in the Prometheus server bundled with GitLa... A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-3920 [MEDIUM] CVE-2023-3920: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.2... An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-3401 [MEDIUM] CVE-2023-3401: gitlab - An issue has been discovered in GitLab affecting all versions before 16.0.8, all... An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code. Scope: local sid: resolved (fixed in 16.0.8+ds1-1)

CVE-2023-6678 [MEDIUM] CVE-2023-6678: gitlab - An issue has been discovered in GitLab EE affecting all versions before 16.8.6, ... An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit test report file. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2023-3246 [MEDIUM] CVE-2023-3246: gitlab - An issue has been discovered in GitLab EE/CE affecting all versions starting bef... An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-5933 [MEDIUM] CVE-2023-5933: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 b... An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests. Scope: local sid: resolved (fixed in 16.6.6-1)

CVE-2023-3444 [MEDIUM] CVE-2023-3444: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches. Scope: local sid: resolved (fixed in 15.11.11+ds1-1)

CVE-2023-1708 [MEDIUM] CVE-2023-1708: gitlab - An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to... An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-3362 [MEDIUM] CVE-2023-3362: gitlab - An information disclosure issue in GitLab CE/EE affecting all versions from 16.0... An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub. Scope: local sid: resolved (fixed in 16.0.7+ds1-2)

CVE-2023-1204 [MEDIUM] CVE-2023-1204: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings. Scope: local sid: resolved (fix

CVE-2023-1265 [MEDIUM] CVE-2023-1265: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.9... An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The condition allows for a privileged attacker, under certain conditions, to obtain session tokens from all users of a GitLab instance. Scope: local sid: resolved (fixed in 15

CVE-2023-6489 [MEDIUM] CVE-2023-6489: gitlab - A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.... A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2023-0223 [MEDIUM] CVE-2023-0223: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.5... An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings. Scope: local sid

CVE-2023-5512 [MEDIUM] CVE-2023-5512: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 be... An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI. Scope: local sid: resolved (fixed in 16.4.4+ds2-2

CVE-2023-0319 [MEDIUM] CVE-2023-0319: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.6... An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to be restricted to project memebers only. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-2232 [MEDIUM] CVE-2023-2232: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.1... An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-4317 [MEDIUM] CVE-2023-4317: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.2 ... An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch. Scope: local sid: resolved (fixed in 16.4.4+ds2-2

CVE-2023-6051 [MEDIUM] CVE-2023-6051: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.... An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when source code or installation packages are pulled from a specific tag. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-1072 [MEDIUM] CVE-2023-1072: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.0 ... An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-0518 [MEDIUM] CVE-2023-0518: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)