Debian Gitlab vulnerabilities

CVE-2020-10954 [HIGH] CVE-2020-10954: gitlab - GitLab through 12.9 is affected by a potential DoS in repository archive downloa... GitLab through 12.9 is affected by a potential DoS in repository archive download. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-7968 [HIGH] CVE-2020-7968: gitlab - GitLab EE 8.0 through 12.7.2 has Incorrect Access Control. GitLab EE 8.0 through 12.7.2 has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-13325 [HIGH] CVE-2020-13325: gitlab - A vulnerability was discovered in GitLab versions prior 13.1. The comment sectio... A vulnerability was discovered in GitLab versions prior 13.1. The comment section of the issue page was not restricting the characters properly, potentially resulting in a denial of service. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13299 [HIGH] CVE-2020-13299: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13321 [HIGH] CVE-2020-13321: gitlab - A vulnerability was discovered in GitLab versions prior to 13.1. Username format... A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-26405 [HIGH] CVE-2020-26405: gitlab - Path traversal vulnerability in package upload functionality in GitLab CE/EE sta... Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, =13.4, =13.5, <13.5.2. Scope: local sid: resolved (fixed in 13.3.9-1)

CVE-2020-13343 [HIGH] CVE-2020-13343: gitlab - An issue has been discovered in GitLab affecting all versions starting from 11.2... An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-13322 [HIGH] CVE-2020-13322: gitlab - A vulnerability was discovered in GitLab versions after 12.9. Due to improper ve... A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13323 [HIGH] CVE-2020-13323: gitlab - A vulnerability was discovered in GitLab versions prior 13.1. Under certain cond... A vulnerability was discovered in GitLab versions prior 13.1. Under certain conditions private merge requests could be read via Todos Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10976 [HIGH] CVE-2020-10976: gitlab - GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a m... GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13303 [HIGH] CVE-2020-13303: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-11506 [HIGH] CVE-2020-11506: gitlab - An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse b... An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A Workhorse bypass could lead to job artifact uploads and file disclosure (Exposure of Sensitive Information) via request smuggling. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13300 [HIGH] CVE-2020-13300: gitlab - GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorizati... GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13355 [HIGH] CVE-2020-13355: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, =13.4, =13.5, <13.5.2. Scope: local sid: resolved (fixed in 13.3.9-1)

CVE-2020-13270 [HIGH] CVE-2020-13270: gitlab - Missing permission check on fork relation creation in GitLab CE/EE 11.3 and late... Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13276 [HIGH] CVE-2020-13276: gitlab - User is allowed to set an email as a notification email even without verifying t... User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1 Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13283 [HIGH] CVE-2020-13283: gitlab - For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability e... For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13290 [HIGH] CVE-2020-13290: gitlab - In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used o... In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13298 [HIGH] CVE-2020-13298: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Conan package upload functionality was not properly validating the supplied parameters, which resulted in the limited files disclosure. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-26413 [MEDIUM] CVE-2020-26413: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro... An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible. Scope: local sid: resolved (fixed in 13.4.7-1)