Debian Gitlab vulnerabilities

CVE-2021-22203 [HIGH] CVE-2021-22203: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1. A specially crafted Wiki page allowed attackers to read arbitrary files on the server. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22213 [HIGH] CVE-2021-22213: gitlab - A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/E... A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22181 [HIGH] CVE-2021-22181: gitlab - A denial of service vulnerability in GitLab CE/EE affecting all versions since 1... A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39887 [HIGH] CVE-2021-39887: gitlab - A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in G... A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39877 [HIGH] CVE-2021-39877: gitlab - A vulnerability was discovered in GitLab starting with version 12.2 that allows ... A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39906 [HIGH] CVE-2021-39906: gitlab - Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows... Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22241 [HIGH] CVE-2021-22241: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22209 [HIGH] CVE-2021-22209: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39946 [HIGH] CVE-2021-39946: gitlab - Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 1... Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22177 [MEDIUM] CVE-2021-22177: gitlab - Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or a... Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39866 [MEDIUM] CVE-2021-39866: gitlab - A business logic error in the project deletion process in GitLab 13.6 and later ... A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39893 [MEDIUM] CVE-2021-39893: gitlab - A potential DOS vulnerability was discovered in GitLab starting with version 9.1... A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39871 [MEDIUM] CVE-2021-39871: gitlab - In all versions of GitLab CE/EE since version 13.0, an instance that has the set... In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22263 [MEDIUM] CVE-2021-22263: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.0... An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'I

CVE-2021-4191 [MEDIUM] CVE-2021-4191: gitlab - An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, ... An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39870 [MEDIUM] CVE-2021-39870: gitlab - In all versions of GitLab CE/EE since version 11.11, an instance that has the se... In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22167 [MEDIUM] CVE-2021-22167: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.1... An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39907 [MEDIUM] CVE-2021-39907: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE starting with versi... A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22236 [MEDIUM] CVE-2021-22236: gitlab - Due to improper handling of OAuth client IDs, new subscriptions generated OAuth ... Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22194 [MEDIUM] CVE-2021-22194: gitlab - In all versions of GitLab, marshalled session keys were being stored in Redis. In all versions of GitLab, marshalled session keys were being stored in Redis. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)