Debian Gitlab vulnerabilities

CVE-2022-0390 [MEDIUM] CVE-2022-0390: gitlab - Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4,... Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-0477 [MEDIUM] CVE-2022-0477: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.9... An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab was not correctly handling bulk requests to delete existing packages from the package registries which could result in a Denial of Service under specific conditions. Sc

CVE-2022-2908 [MEDIUM] CVE-2022-2908: gitlab - A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting f... A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2500 [MEDIUM] CVE-2022-2500: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v... A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3285 [MEDIUM] CVE-2022-3285: gitlab - Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior... Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1545 [MEDIUM] CVE-2022-1545: gitlab - It was possible to disclose details of confidential notes created via the API in... It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3413 [MEDIUM] CVE-2022-3413: gitlab - Incorrect authorization during display of Audit Events in GitLab EE affecting al... Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above. Sc

CVE-2022-3573 [MEDIUM] CVE-2022-3573: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict

CVE-2022-2303 [MEDIUM] CVE-2022-2303: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.... An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA. Scope:

CVE-2022-3902 [MEDIUM] CVE-2022-3902: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.3 ... An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the logs after testing webhooks. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-0373 [MEDIUM] CVE-2022-0373: gitlab - Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4,... Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4, and 12.6 to 14.7.1 allows project non-members to retrieve the service desk email address Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2630 [MEDIUM] CVE-2022-2630: gitlab - An improper access control issue in GitLab CE/EE affecting all versions starting... An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1174 [MEDIUM] CVE-2022-1174: gitlab - A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 befor... A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc. Scope: local sid: resolved (fixed in 15.

CVE-2022-0090 [MEDIUM] CVE-2022-0090: gitlab - An issue has been discovered affecting GitLab versions prior to 14.4.5, between ... An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git sub-commands, allowing a malicious user to spoof the contents of their commits in the UI. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2456 [MEDIUM] CVE-2022-2456: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.... An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for malicious group or project maintainers to change their corresponding group or project visibility by crafting a malicious POST request. Scope: local sid: resolved (fixed

CVE-2022-1954 [MEDIUM] CVE-2022-1954: gitlab - A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting a... A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-0283 [MEDIUM] CVE-2022-0283: gitlab - An issue has been discovered affecting GitLab versions prior to 13.5. An open re... An issue has been discovered affecting GitLab versions prior to 13.5. An open redirect vulnerability was fixed in GitLab integration with Jira that a could cause the web application to redirect the request to the attacker specified URL. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2761 [MEDIUM] CVE-2022-2761: gitlab - An information disclosure issue in GitLab CE/EE affecting all versions from 14.4... An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2907 [MEDIUM] CVE-2022-2907: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to read repository content by an unauthorised user if a project member used a crafted link. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3513 [MEDIUM] CVE-2022-3513: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.8... An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances ru