Debian Gitlab vulnerabilities

CVE-2022-1783 [LOW] CVE-2022-1783: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to

CVE-2022-2270 [LOW] CVE-2022-2270: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.4... An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1157 [LOW] CVE-2022-1157: gitlab - Missing sanitization of logged exception messages in all versions prior to 14.7.... Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1983 [MEDIUM] CVE-2022-1983: gitlab - Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 1... Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured. Scope: local sid: resolved

CVE-2022-3293 [LOW] CVE-2022-3293: gitlab - Email addresses were leaked in WebHook logs in GitLab EE affecting all versions ... Email addresses were leaked in WebHook logs in GitLab EE affecting all versions from 9.3 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 Scope: local sid: resolved

CVE-2022-3279 [LOW] CVE-2022-3279: gitlab - An unhandled exception in job log parsing in GitLab CE/EE affecting all versions... An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-3325 [LOW] CVE-2022-3325: gitlab - Improper access control in the GitLab CE/EE API affecting all versions starting ... Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4201 [LOW] CVE-2022-4201: gitlab - A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior... A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-0740 [LOW] CVE-2022-0740: gitlab - Incorrect authorization in the Asana integration's branch restriction feature in... Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-0489 [LOW] CVE-2022-0489: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit... An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 . It was possible to trigger a DOS by using the math feature with a specific formula in issue comments. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2227 [LOW] CVE-2022-2227: gitlab - Improper access control in the runner jobs API in GitLab CE/EE affecting all ver... Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1948 [HIGH] CVE-2022-1948: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.0... An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details. Scope: local sid: resolved

CVE-2022-2534 [LOW] CVE-2022-2534: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was returning contributor emails due to improper data handling in the Datadog integration. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2307 [LOW] CVE-2022-2307: gitlab - A lack of cascading deletes in GitLab CE/EE affecting all versions starting from... A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited. Scope: local sid: resolved

CVE-2022-0738 [MEDIUM] CVE-2022-0738: gitlab - An issue has been discovered in GitLab affecting all versions starting from 14.6... An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions. Scope: local sid: resolved

CVE-2022-3706 [LOW] CVE-2022-3706: gitlab - Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to... Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4092 [MEDIUM] CVE-2022-4092: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input. Scope: local sid: resolved

CVE-2022-3351 [MEDIUM] CVE-2022-3351: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A user's primary email may be disclosed to an attacker through group member events webhooks. Scope: local sid: resolved

CVE-2022-1981 [LOW] CVE-2022-1981: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that

CVE-2022-1189 [LOW] CVE-2022-1189: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.2 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 that allowed for an unauthorised user to read the the approval rules of a private project. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)