Debian Gitlab vulnerabilities

CVE-2022-0172 [MEDIUM] CVE-2022-0172: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit... An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge requests and milestones. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2882 [MEDIUM] CVE-2022-2882: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker control

CVE-2022-4054 [MEDIUM] CVE-2022-4054: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.3 ... An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers. Scope: local sid: re

CVE-2022-2455 [MEDIUM] CVE-2022-2455: gitlab - A business logic issue in the handling of large repositories in all versions of ... A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4143 [MEDIUM] CVE-2022-4143: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.7... An issue has been discovered in GitLab affecting all versions starting from 15.7 before 15.8.5, from 15.9 before 15.9.4, and from 15.10 before 15.10.1 that allows for crafted, unapproved MRs to be introduced and merged without authorization Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3726 [MEDIUM] CVE-2022-3726: gitlab - Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions ... Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1413 [MEDIUM] CVE-2022-1413: gitlab - Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2... Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3067 [MEDIUM] CVE-2022-3067: gitlab - An issue has been discovered in the Import functionality of GitLab CE/EE affecti... An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitrary projects' content given the project's ID. Scope: local sid: resolved (fixed in 15.10.

CVE-2022-1821 [MEDIUM] CVE-2022-1821: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2512 [MEDIUM] CVE-2022-2512: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. Membership changes are not reflected in TODO for confidential notes, allowing a former project members to read updates via TODOs. Scope: local sid: resolved (fixed in 15.10.

CVE-2022-3514 [MEDIUM] CVE-2022-3514: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1121 [MEDIUM] CVE-2022-1121: gitlab - A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all vers... A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4205 [MEDIUM] CVE-2022-4205: gitlab - In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecim... In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4007 [MEDIUM] CVE-2022-4007: gitlab - A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 pri... A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side. Scope: local sid: resolved (fixed in 15.10.

CVE-2022-0152 [MEDIUM] CVE-2022-0152: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.1... An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-0371 [MEDIUM] CVE-2022-0371: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 before 14.5.4, all versions starting from 14.6 before 14.6.4, all versions starting from 14.7 before 14.7.1. GitLab search may allow authenticated users to search other users by their respective private emails even if a user set their email to private. Scope: local sid: resolved (f

CVE-2022-3820 [MEDIUM] CVE-2022-3820: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.4... An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location. Scope: local sid: reso

CVE-2022-2498 [MEDIUM] CVE-2022-2498: gitlab - An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8... An issue in pipeline subscriptions in GitLab EE affecting all versions from 12.8 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2243 [MEDIUM] CVE-2022-2243: gitlab - An access control vulnerability in GitLab EE/CE affecting all versions from 14.8... An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1185 [MEDIUM] CVE-2022-1185: gitlab - A denial of service vulnerability when rendering RDoc files in GitLab CE/EE vers... A denial of service vulnerability when rendering RDoc files in GitLab CE/EE versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an attacker to crash the GitLab web application with a maliciously crafted RDoc file Scope: local sid: resolved (fixed in 15.10.8+ds1-2)