Debian Gitlab vulnerabilities

CVE-2020-10981 [MEDIUM] CVE-2020-10981: gitlab - GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeli... GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13319 [MEDIUM] CVE-2020-13319: gitlab - An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.... An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13339 [MEDIUM] CVE-2020-13339: gitlab - An issue has been discovered in GitLab affecting all versions before 13.2.10, 13... An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only being impacted. Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-10081 [MEDIUM] CVE-2020-10081: gitlab - GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered ... GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-13344 [MEDIUM] CVE-2020-13344: gitlab - An issue has been discovered in GitLab affecting all versions prior to 13.2.10, ... An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-13313 [MEDIUM] CVE-2020-13313: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13338 [MEDIUM] CVE-2020-13338: gitlab - An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.... An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-5197 [MEDIUM] CVE-2020-5197: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ... An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 5.1 through 12.6.1. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-13294 [MEDIUM] CVE-2020-13294: gitlab - In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when... In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when a user revoked access to an application. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13358 [MEDIUM] CVE-2020-13358: gitlab - A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.... A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, =13.3, =13.5, <13.5.2. Scope: local sid: resolved (fixed in 13.3.9-1)

CVE-2020-13330 [MEDIUM] CVE-2020-13330: gitlab - An issue has been discovered in GitLab affecting versions prior to 12.10.13. Git... An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS in import the Bitbucket project feature. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13324 [MEDIUM] CVE-2020-13324: gitlab - A vulnerability was discovered in GitLab versions prior to 13.1. Under certain c... A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the private activity of a user could be exposed via the API. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10079 [MEDIUM] CVE-2020-10079: gitlab - GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain condition... GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-13293 [MEDIUM] CVE-2020-13293: gitlab - In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal na... In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-7973 [MEDIUM] CVE-2020-7973: gitlab - GitLab through 12.7.2 allows XSS. GitLab through 12.7.2 allows XSS. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-13264 [MEDIUM] CVE-2020-13264: gitlab - Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.... Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13333 [MEDIUM] CVE-2020-13333: gitlab - A potential DOS vulnerability was discovered in GitLab versions 13.1, 13.2 and 1... A potential DOS vulnerability was discovered in GitLab versions 13.1, 13.2 and 13.3. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage. Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-26409 [MEDIUM] CVE-2020-26409: gitlab - A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.... A DOS vulnerability exists in Gitlab CE/EE >=10.3, =13.5, =13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields. Scope: local sid: resolved (fixed in 13.4.7-1)

CVE-2020-10090 [MEDIUM] CVE-2020-10090: gitlab - GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group co... GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-13351 [MEDIUM] CVE-2020-13351: gitlab - Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ a... Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, =13.4.0, =13.5.0, <13.5.2. Scope: local sid: resolved (fixed in 13.3.9-1)