Debian Gitlab vulnerabilities

CVE-2022-3288 [LOW] CVE-2022-3288: gitlab - A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2... A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1940 [HIGH] CVE-2022-1940: gitlab - A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE aff... A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues Scope: local sid: resolved

CVE-2022-4335 [MEDIUM] CVE-2022-4335: gitlab - A blind SSRF vulnerability was identified in all versions of GitLab EE prior to ... A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host. Scope: local sid: resolved

CVE-2022-0344 [LOW] CVE-2022-0344: gitlab - An issue has been discovered in GitLab affecting all versions starting from 10.0... An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1. Private project paths can be disclosed to unauthorized users via system notes when an Issue is closed via a Merge Request and later moved to a public project Scope: local sid: resolv

CVE-2022-2826 [LOW] CVE-2022-2826: gitlab - An issue has been discovered in GitLab affecting all versions starting from 10.0... An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. TODO Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-1426 [LOW] CVE-2022-1426: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.6... An issue has been discovered in GitLab affecting all versions starting from 12.6 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly authenticating a user that had some certain amount of information which allowed an user to authenticate without a personal access token. Scope: local sid:

CVE-2022-3375 [LOW] CVE-2022-3375: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.1... An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when attacker has a fork of a project that was switched to private. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4343 [MEDIUM] CVE-2022-4343: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which a project member can leak credentials stored in site profile. Scope: local sid: resolved

CVE-2022-3280 [LOW] CVE-2022-3280: gitlab - An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.... An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-2228 [MEDIUM] CVE-2022-2228: gitlab - Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.1... Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range Scope: local sid: resolved

CVE-2022-4331 [MEDIUM] CVE-2022-4331: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still

CVE-2022-3291 [MEDIUM] CVE-2022-3291: gitlab - Serialization of sensitive data in GitLab EE affecting all versions from 14.9 pr... Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache Scope: local sid: resolved

CVE-2022-3031 [LOW] CVE-2022-3031: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.... An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account. Scope: l

CVE-2022-3331 [LOW] CVE-2022-3331: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 1... An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues. Scope: local sid: resolved

CVE-2022-2281 [LOW] CVE-2022-2281: gitlab - An information disclosure vulnerability in GitLab EE affecting all versions from... An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases. Scope: local sid: resolved

CVE-2022-1111 [LOW] CVE-2022-1111: gitlab - A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to ... A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4255 [MEDIUM] CVE-2022-4255: gitlab - An info leak issue was identified in all versions of GitLab EE from 13.7 prior t... An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload. Scope: local sid: resolved

CVE-2022-0488 [LOW] CVE-2022-0488: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit... An issue has been discovered in GitLab CE/EE affecting all versions starting with version 8.10. It was possible to trigger a timeout on a page with markdown by using a specific amount of block-quotes. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2022-4167 [MEDIUM] CVE-2022-4167: gitlab - Incorrect Authorization check affecting all versions of GitLab EE from 13.11 pri... Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them. Scope: local sid: resolved

CVE-2022-2459 [LOW] CVE-2022-2459: gitlab - An issue has been discovered in GitLab EE affecting all versions before 15.0.5, ... An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent b