Debian Gitlab vulnerabilities

CVE-2023-2013 [LOW] CVE-2023-2013: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning n

CVE-2023-1071 [LOW] CVE-2023-1071: gitlab - An issue has been discovered in GitLab affecting all versions from 15.5 before 1... An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2023-4700 [LOW] CVE-2023-4700: gitlab - An authorization issue affecting GitLab EE affecting all versions from 14.7 prio... An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals. Scope: local sid: resolved

CVE-2023-6680 [HIGH] CVE-2023-6680: gitlab - An improper certificate validation issue in Smartcard authentication in GitLab E... An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabl

CVE-2023-6195 [LOW] CVE-2023-6195: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in the markdown image value when importing a GitHub repository. Scope: local sid: resolved (fixed

CVE-2023-3915 [MEDIUM] CVE-2023-3915: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This serv

CVE-2023-5009 [HIGH] CVE-2023-5009: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing addit

CVE-2023-0805 [MEDIUM] CVE-2023-0805: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 15.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to have access to the public projects of a public group even after being banned from the public group by the owner. Scope: local sid:

CVE-2023-1167 [MEDIUM] CVE-2023-1167: gitlab - Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15... Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in MR. Scope: local sid: resolved

CVE-2023-1965 [MEDIUM] CVE-2023-1965: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabl

CVE-2023-5117 [LOW] CVE-2023-5117: gitlab - An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in ... An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL. Scope: local sid: resolved (fixed in 17.6.5-1)

CVE-2023-6564 [MEDIUM] CVE-2023-6564: gitlab - An issue has been discovered in GitLab EE Premium and Ultimate affecting version... An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches. Scope: local sid: resolved

CVE-2023-3979 [LOW] CVE-2023-3979: gitlab - An issue has been discovered in GitLab affecting all versions starting from 10.6... An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch. Scope: local sid: resolved (fixed in 16.4.4

CVE-2023-3509 [LOW] CVE-2023-3509: gitlab - An issue has been discovered in GitLab affecting all versions before 16.7.6, all... An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group. Scope: local sid: resolved (fixed in 16.8.3-1)

CVE-2023-3363 [LOW] CVE-2023-3363: gitlab - An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6... An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`. Scope: local sid: resolved (fixed in 15.11.11+ds1-1)

CVE-2023-1936 [LOW] CVE-2023-1936: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to leak the email address of a user who created a service desk issue. Scope: local sid: resolved (fixed in 15.11.11+ds1-1)

CVE-2023-4912 [LOW] CVE-2023-4912: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input. Scope: local sid: resolved

CVE-2023-1555 [LOW] CVE-2023-1555: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.2... An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A namespace-level banned user can access the API. Scope: local sid: resolved (fixed in 16.4.4+ds2-2)

CVE-2023-5831 [LOW] CVE-2023-5831: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the `super_sidebar_logged_out` feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab versi

CVE-2023-4658 [LOW] CVE-2023-4658: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 8... An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the `Allowed to merge` permission as a guest user, when granted the permission through a group. Scope: local sid: resolved