Debian Gitlab vulnerabilities

CVE-2020-13271 [MEDIUM] CVE-2020-13271: gitlab - A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary J... A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1 Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13335 [MEDIUM] CVE-2020-13335: gitlab - Improper group membership validation when deleting a user account in GitLab >=7.... Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group. Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-13357 [MEDIUM] CVE-2020-13357: gitlab - An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to ... An issue was discovered in Gitlab CE/EE versions >= 13.1 to = 13.5 to = 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project. Scope: local sid: resolved (fixed in 13.4.7-1)

CVE-2020-13289 [MEDIUM] CVE-2020-13289: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. In certain cases an invalid username could be accepted when 2FA is activated. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-26414 [MEDIUM] CVE-2020-26414: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.4... An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string. Scope: local sid: resolved (fixed in 15.10.8+ds1-2)

CVE-2020-13328 [MEDIUM] CVE-2020-13328: gitlab - An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.... An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13326 [MEDIUM] CVE-2020-13326: gitlab - A vulnerability was discovered in GitLab versions prior to 13.1. Under certain c... A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13329 [MEDIUM] CVE-2020-13329: gitlab - An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 1... An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the blob view feature. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10978 [MEDIUM] CVE-2020-10978: gitlab - GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public pr... GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10977 [MEDIUM] CVE-2020-10977: gitlab - GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an iss... GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13334 [MEDIUM] CVE-2020-13334: gitlab - In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization c... In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-10952 [MEDIUM] CVE-2020-10952: gitlab - GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images... GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10091 [MEDIUM] CVE-2020-10091: gitlab - GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was f... GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-12275 [MEDIUM] CVE-2020-12275: gitlab - GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an ... GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13310 [MEDIUM] CVE-2020-13310: gitlab - A vulnerability was discovered in GitLab runner versions before 13.1.3, 13.2.3 a... A vulnerability was discovered in GitLab runner versions before 13.1.3, 13.2.3 and 13.3.1. It was possible to make the gitlab-runner process crash by sending malformed queries, resulting in a denial of service. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-26415 [MEDIUM] CVE-2020-26415: gitlab - Information about the starred projects for private user profiles was exposed via... Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to =13.5 to =13.6 to <13.6.2. Scope: local sid: resolved (fixed in 13.4.7-1)

CVE-2020-13341 [MEDIUM] CVE-2020-13341: gitlab - An issue has been discovered in GitLab affecting all versions prior to 13.2.10, ... An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions. Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-26408 [MEDIUM] CVE-2020-26408: gitlab - A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12... A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to =13.5 to =13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile Scope: local sid: resolved (fixed in 13.4.7-1)

CVE-2020-13311 [MEDIUM] CVE-2020-13311: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-12277 [MEDIUM] CVE-2020-12277: gitlab - GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a rep... GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated. Scope: local sid: resolved (fixed in 13.2.3-2)