Debian Gitlab vulnerabilities

CVE-2021-22243 [MEDIUM] CVE-2021-22243: gitlab - Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow exis... Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22226 [MEDIUM] CVE-2021-22226: gitlab - Under certain conditions, some users were able to push to protected branches tha... Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9 Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22227 [MEDIUM] CVE-2021-22227: gitlab - A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 1... A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22264 [MEDIUM] CVE-2021-22264: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.8... An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted. Scope: loc

CVE-2021-22187 [MEDIUM] CVE-2021-22187: gitlab - An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE be... An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 13.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2021-39867 [MEDIUM] CVE-2021-39867: gitlab - In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerabilit... In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39912 [MEDIUM] CVE-2021-39912: gitlab - A potential DoS vulnerability was discovered in GitLab CE/EE starting with versi... A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39875 [MEDIUM] CVE-2021-39875: gitlab - In all versions of GitLab CE/EE since version 13.6, it is possible to see pendin... In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39919 [MEDIUM] CVE-2021-39919: gitlab - In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all version... In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22238 [MEDIUM] CVE-2021-22238: gitlab - An issue has been discovered in GitLab affecting all versions starting with 13.3... An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39935 [MEDIUM] CVE-2021-39935: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22180 [MEDIUM] CVE-2021-22180: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.4... An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22223 [MEDIUM] CVE-2021-22223: gitlab - Client-Side code injection through Feature Flag name in GitLab CE/EE starting wi... Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39891 [MEDIUM] CVE-2021-39891: gitlab - In all versions of GitLab CE/EE since version 8.0, access tokens created as part... In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22186 [MEDIUM] CVE-2021-22186: gitlab - An authorization issue in GitLab CE/EE version 9.4 and up allowed a group mainta... An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22258 [MEDIUM] CVE-2021-22258: gitlab - The project import/export feature in GitLab 8.9 and greater could be used to obt... The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39868 [MEDIUM] CVE-2021-39868: gitlab - In all versions of GitLab CE/EE since version 8.12, an authenticated low-privile... In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22220 [MEDIUM] CVE-2021-22220: gitlab - An issue has been discovered in GitLab affecting all versions starting with 13.1... An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22206 [MEDIUM] CVE-2021-22206: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.6... An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text, Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22228 [MEDIUM] CVE-2021-22228: gitlab - An issue has been discovered in GitLab affecting all versions before 13.11.6, al... An issue has been discovered in GitLab affecting all versions before 13.11.6, all versions starting from 13.12 before 13.12.6, and all versions starting from 14.0 before 14.0.2. Improper access control allows unauthorised users to access project details using Graphql. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)