Debian Gitlab vulnerabilities

CVE-2020-13316 [MEDIUM] CVE-2020-13316: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13312 [MEDIUM] CVE-2020-13312: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-11649 [MEDIUM] CVE-2020-11649: gitlab - An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a gr... An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-13331 [MEDIUM] CVE-2020-13331: gitlab - An issue has been discovered in GitLab affecting versions prior to 12.10.13. Git... An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the Wiki pasges. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-26411 [MEDIUM] CVE-2020-26411: gitlab - A potential DOS vulnerability was discovered in all versions of Gitlab starting ... A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to =13.5 to =13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused. Scope: local sid: resolved (fixed in 13.4.7-1)

CVE-2020-13309 [MEDIUM] CVE-2020-13309: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13354 [MEDIUM] CVE-2020-13354: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE starting with versi... A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9. Scope: local sid: resolved (fixed in 13.3.9-1)

CVE-2020-10953 [HIGH] CVE-2020-10953: gitlab - In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversa... In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. Scope: local sid: resolved

CVE-2020-13261 [MEDIUM] CVE-2020-13261: gitlab - Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 ... Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code Scope: local sid: resolved

CVE-2020-10077 [CRITICAL] CVE-2020-10077: gitlab - GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed tha... GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk. Scope: local sid: resolved

CVE-2020-10092 [MEDIUM] CVE-2020-10092: gitlab - GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was ... GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerability was present in a particular view relating to the Grafana integration. Scope: local sid: resolved

CVE-2020-13262 [MEDIUM] CVE-2020-13262: gitlab - Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later... Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link Scope: local sid: resolved

CVE-2020-8795 [HIGH] CVE-2020-8795: gitlab - In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a ... In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users. Scope: local sid: resolved

CVE-2020-13263 [HIGH] CVE-2020-13263: gitlab - An authorization issue relating to project maintainer impersonation was identifi... An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions. Scope: local sid: resolved

CVE-2020-15525 [MEDIUM] CVE-2020-15525: gitlab - GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven ... GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint. Scope: local sid: resolved

CVE-2020-10076 [MEDIUM] CVE-2020-10076: gitlab - GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerabili... GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerability was discovered when displaying merge requests. Scope: local sid: resolved

CVE-2020-7974 [MEDIUM] CVE-2020-7974: gitlab - GitLab EE 10.1 through 12.7.2 allows Information Disclosure. GitLab EE 10.1 through 12.7.2 allows Information Disclosure. Scope: local sid: resolved

CVE-2020-10535 [MEDIUM] CVE-2020-10535: gitlab - GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to... GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote attackers to bypass email domain restrictions within the two-day grace period for an unconfirmed email address. Scope: local sid: resolved

CVE-2020-13266 [MEDIUM] CVE-2020-13266: gitlab - Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later thr... Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions Scope: local sid: resolved

CVE-2020-13272 [HIGH] CVE-2020-13272: gitlab - OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allow... OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow Scope: local sid: resolved