Debian Gitlab vulnerabilities

CVE-2022-3411 [MEDIUM] CVE-2022-3411: gitlab - A lack of length validation in GitLab CE/EE affecting all versions from 12.4 bef... A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-0124 [MEDIUM] CVE-2022-0124: gitlab - An issue has been discovered affecting GitLab versions prior to 14.4.5, between ... An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2592 [MEDIUM] CVE-2022-2592: gitlab - A lack of length validation in Snippet descriptions in GitLab CE/EE affecting al... A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions prior to 15.1.6, 15.2 prior to 15.2.4 and 15.3 prior to 15.3.2 allows an authenticated attacker to create a maliciously large Snippet which when requested with or without authentication places excessive load on the server, potential leading to Denial of Service. Scope: local si

CVE-2022-3486 [MEDIUM] CVE-2022-3486: gitlab - An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 p... An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3818 [MEDIUM] CVE-2022-3818: gitlab - An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE aff... An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1120 [MEDIUM] CVE-2022-1120: gitlab - Missing filtering in an error message in GitLab CE/EE affecting all versions pri... Missing filtering in an error message in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 exposed sensitive information when an include directive fails in the CI/CD configuration. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1100 [MEDIUM] CVE-2022-1100: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versi... A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage. Scope: local sid: resolved (

CVE-2022-0751 [MEDIUM] CVE-2022-0751: gitlab - Inaccurate display of Snippet files containing special characters in all version... Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an attacker to create Snippets with misleading content which could trick unsuspecting users into executing arbitrary commands Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-0123 [MEDIUM] CVE-2022-0123: gitlab - An issue has been discovered affecting GitLab versions prior to 14.4.5, between ... An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2095 [MEDIUM] CVE-2022-2095: gitlab - An improper access control check in GitLab CE/EE affecting all versions starting... An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks

CVE-2022-3066 [MEDIUM] CVE-2022-3066: gitlab - An issue has been discovered in GitLab affecting all versions starting from 10.0... An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4206 [MEDIUM] CVE-2022-4206: gitlab - A sensitive information leak issue has been discovered in all versions of DAST A... A sensitive information leak issue has been discovered in all versions of DAST API scanner from 1.6.50 prior to 2.0.102, exposing the Authorization header in the vulnerability report Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1416 [MEDIUM] CVE-2022-1416: gitlab - Missing sanitization of data in Pipeline error messages in GitLab CE/EE affectin... Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3793 [MEDIUM] CVE-2022-3793: gitlab - An improper authorization issue in GitLab CE/EE affecting all versions from 14.4... An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3758 [MEDIUM] CVE-2022-3758: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.5... An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4131 [MEDIUM] CVE-2022-4131: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents. Scope: local sid: resolved (fixed in 15.1

CVE-2022-3286 [MEDIUM] CVE-2022-3286: gitlab - Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior ... Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token Scope: local sid: resolved

CVE-2022-2499 [LOW] CVE-2022-2499: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab's Jira integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Jira issues. Scope: local sid: resolved

CVE-2022-2501 [MEDIUM] CVE-2022-2501: gitlab - An improper access control issue in GitLab EE affecting all versions from 12.0 p... An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required. Scope: local sid: resolved

CVE-2022-3819 [LOW] CVE-2022-3819: gitlab - An improper authorization issue in GitLab CE/EE affecting all versions from 15.0... An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)