Debian Gitlab vulnerabilities

CVE-2021-39914 [LOW] CVE-2021-39914: gitlab - A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, ... A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39901 [LOW] CVE-2021-39901: gitlab - In all versions of GitLab CE/EE since version 11.10, an admin of a group can see... In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22249 [MEDIUM] CVE-2021-22249: gitlab - A verbose error message in GitLab EE affecting all versions since 12.2 could dis... A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group Scope: local sid: resolved

CVE-2021-39898 [LOW] CVE-2021-39898: gitlab - In all versions of GitLab CE/EE since version 10.6, a project export leaks the e... In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39900 [LOW] CVE-2021-39900: gitlab - Information disclosure from SendEntry in GitLab starting with 10.8 allowed expos... Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22193 [LOW] CVE-2021-22193: gitlab - An issue has been discovered in GitLab affecting all versions starting with 7.1.... An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22252 [MEDIUM] CVE-2021-22252: gitlab - A confusion between tag and branch names in GitLab CE/EE affecting all versions ... A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers Scope: local sid: resolved

CVE-2021-22254 [LOW] CVE-2021-22254: gitlab - Under very specific conditions a user could be impersonated using Gitlab shell. ... Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22169 [MEDIUM] CVE-2021-22169: gitlab - An issue was identified in GitLab EE 13.4 or later which leaked internal IP addr... An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages. Scope: local sid: resolved

CVE-2021-22233 [MEDIUM] CVE-2021-22233: gitlab - An information disclosure vulnerability in GitLab EE versions 13.10 and later al... An information disclosure vulnerability in GitLab EE versions 13.10 and later allowed a user to read project details Scope: local sid: resolved

CVE-2021-39936 [LOW] CVE-2021-39936: gitlab - Improper access control in GitLab CE/EE affecting all versions starting from 10.... Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22218 [LOW] CVE-2021-22218: gitlab - All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions sta... All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22185 [MEDIUM] CVE-2021-22185: gitlab - Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an... Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki Scope: local sid: resolved

CVE-2021-22211 [LOW] CVE-2021-22211: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39885 [HIGH] CVE-2021-39885: gitlab - A Stored XSS in merge request creation page in all versions of Gitlab EE startin... A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names Scope: local sid: resolved

CVE-2021-39890 [LOW] CVE-2021-39890: gitlab - It was possible to bypass 2FA for LDAP users and access some specific pages with... It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22231 [LOW] CVE-2021-22231: gitlab - A denial of service in user's profile page is found starting with GitLab CE/EE 8... A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-22202 [LOW] CVE-2021-22202: gitlab - An issue has been discovered in GitLab CE/EE affecting all previous versions. If... An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2021-39884 [MEDIUM] CVE-2021-39884: gitlab - In all versions of GitLab EE since version 8.13, an endpoint discloses names of ... In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. Scope: local sid: resolved

CVE-2021-22253 [MEDIUM] CVE-2021-22253: gitlab - Improper authorization in GitLab EE affecting all versions since 13.4 allowed a ... Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed Scope: local sid: resolved