Debian Gitlab vulnerabilities

CVE-2022-1105 [MEDIUM] CVE-2022-1105: gitlab - An improper access control vulnerability in GitLab CE/EE affecting all versions ... An improper access control vulnerability in GitLab CE/EE affecting all versions from 13.11 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an unauthorized user to access pipeline analytics even when public pipelines are disabled Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4342 [MEDIUM] CVE-2022-4342: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1935 [MEDIUM] CVE-2022-1935: gitlab - Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.... Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configured Scope: local sid: resolved (fixed

CVE-2022-1963 [MEDIUM] CVE-2022-1963: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users. Scope: local sid: resolved (fixed in 15.10.8+d

CVE-2022-1460 [MEDIUM] CVE-2022-1460: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.2 ... An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user. Scope: local sid: resolved (fi

CVE-2022-1352 [MEDIUM] CVE-2022-1352: gitlab - Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecti... Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members. Scope: local sid: re

CVE-2022-1148 [MEDIUM] CVE-2022-1148: gitlab - Improper authorization in GitLab Pages included with GitLab CE/EE affecting all ... Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites Scope: local sid: resolved (fixed in 15.

CVE-2022-4289 [MEDIUM] CVE-2022-4289: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.3... An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2533 [MEDIUM] CVE-2022-2533: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.1... An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid

CVE-2022-0741 [MEDIUM] CVE-2022-0741: gitlab - Improper input validation in all versions of GitLab CE/EE using sendmail to send... Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3870 [MEDIUM] CVE-2022-3870: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility. Scope: local sid: resolv

CVE-2022-4138 [MEDIUM] CVE-2022-4138: gitlab - A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting... A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4365 [MEDIUM] CVE-2022-4365: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak the sentry token by changing the configured URL in the Sentry error tracking settings page. Scope: local sid: resolved (fixed in 15.10.8+ds1-

CVE-2022-2428 [MEDIUM] CVE-2022-2428: gitlab - A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versi... A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3740 [MEDIUM] CVE-2022-3740: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package registries by using Deploy tokens or Deploy keys . Scope: local sid: resolved (fixed in 15.10.

CVE-2022-3381 [MEDIUM] CVE-2022-3381: gitlab - An issue has been discovered in GitLab affecting all versions starting from 10.0... An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4462 [MEDIUM] CVE-2022-4462: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.8... An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4037 [MEDIUM] CVE-2022-4037: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.... An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1510 [MEDIUM] CVE-2022-1510: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.9... An issue has been discovered in GitLab affecting all versions starting from 13.9 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious text in the CI Editor and CI Pipeline details page allowing the attacker to cause uncontrolled resource consumption. Scope: local sid

CVE-2022-3018 [MEDIUM] CVE-2022-3018: gitlab - An information disclosure vulnerability in GitLab CE/EE affecting all versions s... An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)