Debian Gitlab vulnerabilities

CVE-2022-1190 [HIGH] CVE-2022-1190: gitlab - Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14... Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3283 [HIGH] CVE-2022-3283: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versi... A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description could have been used to trigger high CPU usage. Scope: local sid: resolved (fixed in 15.10.8+ds

CVE-2022-0154 [HIGH] CVE-2022-0154: gitlab - An issue has been discovered in GitLab affecting all versions starting from 7.7 ... An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account. Scope: local sid:

CVE-2022-0427 [HIGH] CVE-2022-0427: gitlab - Missing sanitization of HTML attributes in Jupyter notebooks in all versions of ... Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2527 [HIGH] CVE-2022-2527: gitlab - An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all... An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests. Scope: local

CVE-2022-1175 [HIGH] CVE-2022-1175: gitlab - Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.... Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2904 [HIGH] CVE-2022-2904: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v... A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrar

CVE-2022-0244 [HIGH] CVE-2022-0244: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit... An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3767 [HIGH] CVE-2022-3767: gitlab - Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to ... Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2865 [HIGH] CVE-2022-2865: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v... A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. Scope: local sid: resolve

CVE-2022-2497 [HIGH] CVE-2022-2497: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A malicious developer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled serve

CVE-2022-1433 [HIGH] CVE-2022-1433: gitlab - An issue has been discovered in GitLab affecting all versions starting from 14.4... An issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. Missing invalidation of Markdown caching causes potential payloads from a previously exploitable XSS vulnerability (CVE-2022-1175) to persist and execute. Scope: local sid: resolv

CVE-2022-2931 [HIGH] CVE-2022-2931: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versi... A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high CPU usage. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2230 [HIGH] CVE-2022-2230: gitlab - A Stored Cross-Site Scripting vulnerability in the project settings page in GitL... A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1417 [MEDIUM] CVE-2022-1417: gitlab - Improper access control in GitLab CE/EE affecting all versions starting from 8.1... Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1431 [MEDIUM] CVE-2022-1431: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.1... An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious requests to the PyPi API endpoint allowing the attacker to cause uncontrolled resource consumption. Scope: local sid: resolved (fixe

CVE-2022-3483 [MEDIUM] CVE-2022-3483: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker contro

CVE-2022-1936 [MEDIUM] CVE-2022-1936: gitlab - Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.... Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured Scope: local sid: resolved (fixed

CVE-2022-2326 [MEDIUM] CVE-2022-2326: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.... An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email. Scope: local sid: resolved (fixed in 15.10.

CVE-2022-2251 [MEDIUM] CVE-2022-2251: gitlab - Improper sanitization of branch names in GitLab Runner affecting all versions pr... Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that other user. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)