Debian Gitlab vulnerabilities

CVE-2021-22248 [MEDIUM] CVE-2021-22248: gitlab - Improper authorization on the pipelines page in GitLab CE/EE affecting all versi... Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only Scope: local sid: resolved

CVE-2021-39910 [LOW] CVE-2021-39910: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22197 [LOW] CVE-2021-22197: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39938 [LOW] CVE-2021-39938: gitlab - A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 befor... A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22215 [HIGH] CVE-2021-22215: gitlab - An information disclosure vulnerability in GitLab EE versions 13.11 and later al... An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects Scope: local sid: resolved

CVE-2021-39941 [LOW] CVE-2021-39941: gitlab - An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6,... An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22251 [MEDIUM] CVE-2021-22251: gitlab - Improper validation of invited users' email address in GitLab EE affecting all v... Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings Scope: local sid: resolved

CVE-2021-39911 [LOW] CVE-2021-39911: gitlab - An improper access control flaw in all versions of GitLab CE/EE starting from 13... An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22199 [LOW] CVE-2021-22199: gitlab - An issue has been discovered in GitLab affecting all versions starting with 12.9... An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39927 [LOW] CVE-2021-39927: gitlab - Server side request forgery protections in GitLab CE/EE versions between 8.4 and... Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443 Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22182 [LOW] CVE-2021-22182: gitlab - An issue has been discovered in GitLab affecting all versions starting with 13.7... An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge request. Scope: local sid: resolved

CVE-2021-39888 [MEDIUM] CVE-2021-39888: gitlab - In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions sta... In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. Scope: local sid: resolved

CVE-2021-39889 [MEDIUM] CVE-2021-39889: gitlab - In all versions of GitLab EE since version 14.1, due to an insecure direct objec... In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. Scope: local sid: resolved

CVE-2021-39881 [LOW] CVE-2021-39881: gitlab - In all versions of GitLab CE/EE since version 7.7, the application may let a mal... In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39909 [MEDIUM] CVE-2021-39909: gitlab - Lack of email address ownership verification in the CODEOWNERS feature in all ve... Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances Scope: local sid: resolved

CVE-2021-39918 [LOW] CVE-2021-39918: gitlab - Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 b... Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22166 [MEDIUM] CVE-2021-22166: gitlab - An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sendin... An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method Scope: local sid: resolved

CVE-2021-22240 [MEDIUM] CVE-2021-22240: gitlab - Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allow... Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled Scope: local sid: resolved

CVE-2021-22245 [LOW] CVE-2021-22245: gitlab - Improper validation of commit author in GitLab CE/EE affecting all versions allo... Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22244 [LOW] CVE-2021-22244: gitlab - Improper authorization in the vulnerability report feature in GitLab EE affectin... Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data Scope: local sid: resolved