Debian Gitlab vulnerabilities

CVE-2023-2015 [MEDIUM] CVE-2023-2015: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims. Scope: local sid: resolved (fixed i

CVE-2023-0155 [MEDIUM] CVE-2023-0155: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.... An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.5, 15.9.4, 15.10.1. Open redirects was possible due to framing arbitrary content on any page allowing user controlled markdown Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-2022 [MEDIUM] CVE-2023-2022: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting bef... An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge Scope: local sid: resolved (fixed in 16.0.8+ds1-1)

CVE-2023-6502 [MEDIUM] CVE-2023-6502: gitlab - A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affectin... A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page. Scope: local sid: resolved (fixed in 17.3.5-2)

CVE-2023-3949 [MEDIUM] CVE-2023-3949: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.3... An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members. Scop

CVE-2023-3917 [MEDIUM] CVE-2023-3917: gitlab - Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior ... Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-3413 [MEDIUM] CVE-2023-3413: gitlab - An issue has been discovered in GitLab affecting all versions starting from 16.2... An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-2576 [MEDIUM] CVE-2023-2576: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch. Scope: local sid: resolved (fixed in 15.11.11+ds1-1)

CVE-2023-1098 [MEDIUM] CVE-2023-1098: gitlab - An information disclosure vulnerability has been discovered in GitLab EE/CE affe... An information disclosure vulnerability has been discovered in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 will allow an admin to leak password from repository mirror configuration. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-6159 [MEDIUM] CVE-2023-6159: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 pr... An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input. Scope: local sid: resolved (fixed in 16.6.6-1)

CVE-2023-0921 [MEDIUM] CVE-2023-0921: gitlab - A lack of length validation in GitLab CE/EE affecting all versions from 8.3 befo... A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-3500 [MEDIUM] CVE-2023-3500: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims. Scope: local sid: resolved

CVE-2023-3385 [MEDIUM] CVE-2023-3385: gitlab - An issue has been discovered in GitLab affecting all versions starting from 8.10... An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`

CVE-2023-3443 [LOW] CVE-2023-3443: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.1... An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-2030 [LOW] CVE-2023-2030: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 pr... An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. Scope: local sid: resolved (fixed in 16.6.5-3)

CVE-2023-5600 [LOW] CVE-2023-5600: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. Scope: local sid: resolved

CVE-2023-1210 [LOW] CVE-2023-1210: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.9... An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user's email via an error message for groups that restrict membership by email domain. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-3484 [HIGH] CVE-2023-3484: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations. Scope: local sid: resolved

CVE-2023-6477 [MEDIUM] CVE-2023-6477: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to

CVE-2023-6736 [MEDIUM] CVE-2023-6736: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file. Scope: local sid: resolved