Debian Gitlab vulnerabilities

CVE-2021-39913 [MEDIUM] CVE-2021-39913: gitlab - Accidental logging of system root password in the migration log in all versions ... Accidental logging of system root password in the migration log in all versions of GitLab CE/EE before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker with local file system access to obtain system root-level privileges Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22250 [MEDIUM] CVE-2021-22250: gitlab - Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed... Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39895 [MEDIUM] CVE-2021-39895: gitlab - In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipel... In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source. Scope: local sid

CVE-2021-22239 [MEDIUM] CVE-2021-22239: gitlab - An unauthorized user was able to insert metadata when creating new issue on GitL... An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22216 [MEDIUM] CVE-2021-22216: gitlab - A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2... A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39874 [MEDIUM] CVE-2021-39874: gitlab - In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2... In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22200 [MEDIUM] CVE-2021-22200: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit... An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22230 [MEDIUM] CVE-2021-22230: gitlab - Improper code rendering while rendering merge requests could be exploited to sub... Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39903 [MEDIUM] CVE-2021-39903: gitlab - In all versions of GitLab CE/EE since version 13.0, a privileged user, through a... In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22172 [MEDIUM] CVE-2021-22172: gitlab - Improper authorization in GitLab 12.8+ allows a guest user in a private project ... Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39882 [MEDIUM] CVE-2021-39882: gitlab - In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a f... In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22183 [MEDIUM] CVE-2021-22183: gitlab - An issue has been discovered in GitLab affecting all versions starting with 11.8... An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39933 [MEDIUM] CVE-2021-39933: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack. Scope: local sid: res

CVE-2021-22217 [MEDIUM] CVE-2021-22217: gitlab - A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2... A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39916 [MEDIUM] CVE-2021-39916: gitlab - Lack of an access control check in the External Status Check feature allowed any... Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22225 [MEDIUM] CVE-2021-22225: gitlab - Insufficient input sanitization in markdown in GitLab version 13.11 and up allow... Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22229 [MEDIUM] CVE-2021-22229: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting wit... An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22262 [MEDIUM] CVE-2021-22262: gitlab - Missing access control in all GitLab versions starting from 13.12 before 14.0.9,... Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration

CVE-2021-39869 [MEDIUM] CVE-2021-39869: gitlab - In all versions of GitLab CE/EE since version 8.9, project exports may expose tr... In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22247 [MEDIUM] CVE-2021-22247: gitlab - Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows ... Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics Scope: local sid: resolved (fixed in 15.10.8+ds1-2)