Debian Gitlab vulnerabilities

CVE-2020-26407 [MEDIUM] CVE-2020-26407: gitlab - A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before ... A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project Scope: local sid: resolved (fixed in 13.4.7-1)

CVE-2020-13301 [MEDIUM] CVE-2020-13301: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a stored XSS on the standalone vulnerability page. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13317 [MEDIUM] CVE-2020-13317: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8, and 13.3.4. An insufficient check in the GraphQL api allowed a maintainer to delete a repository. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13346 [MEDIUM] CVE-2020-13346: gitlab - Membership changes are not reflected in ToDo subscriptions in GitLab versions pr... Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API. Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-13296 [MEDIUM] CVE-2020-13296: gitlab - An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.... An issue has been discovered in GitLab affecting versions >=10.7 =13.1.0 =13.2.0 <13.2.6. Improper Access Control for Deploy Tokens Scope: local sid: resolved (fixed in 13.2.6-1)

CVE-2020-10975 [MEDIUM] CVE-2020-10975: gitlab - GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to... GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10979 [MEDIUM] CVE-2020-10979: gitlab - GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines met... GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-12276 [MEDIUM] CVE-2020-12276: gitlab - GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification f... GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13280 [MEDIUM] CVE-2020-13280: gitlab - For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to... For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13320 [MEDIUM] CVE-2020-13320: gitlab - An issue has been discovered in GitLab before version 12.10.13 that allowed a pr... An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10955 [MEDIUM] CVE-2020-10955: gitlab - GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload... GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10080 [MEDIUM] CVE-2020-10080: gitlab - GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for cer... GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-13281 [MEDIUM] CVE-2020-13281: gitlab - For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the proj... For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13318 [MEDIUM] CVE-2020-13318: gitlab - A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.... A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13277 [MEDIUM] CVE-2020-13277: gitlab - An authorization issue in the mirroring logic allowed read access to private rep... An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5 Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-10086 [MEDIUM] CVE-2020-10086: gitlab - GitLab 10.4 through 12.8.1 allows Directory Traversal. A particular endpoint was... GitLab 10.4 through 12.8.1 allows Directory Traversal. A particular endpoint was vulnerable to a directory traversal vulnerability, leading to arbitrary file read. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2020-13345 [MEDIUM] CVE-2020-13345: gitlab - An issue has been discovered in GitLab affecting all versions starting from 10.8... An issue has been discovered in GitLab affecting all versions starting from 10.8. Reflected XSS on Multiple Routes Scope: local sid: resolved (fixed in 13.2.10-1)

CVE-2020-13287 [MEDIUM] CVE-2020-13287: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Project reporters and above could see confidential EPIC attached to confidential issues Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13284 [MEDIUM] CVE-2020-13284: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-26417 [MEDIUM] CVE-2020-26417: gitlab - Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes privat... Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to =13.5 to =13.1 to <13.4.7. Scope: local sid: resolved (fixed in 13.4.7-1)