Debian Gitlab vulnerabilities

CVE-2020-13314 [LOW] CVE-2020-13314: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2020-13275 [HIGH] CVE-2020-13275: gitlab - A user with an unverified email address could request an access to domain restri... A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1 Scope: local sid: resolved

CVE-2020-13349 [MEDIUM] CVE-2020-13349: gitlab - An issue has been discovered in GitLab EE affecting all versions starting from 8... An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, =13.4, =13.5, <13.5.2. Scope: local sid: resolved

CVE-2020-10082 [MEDIUM] CVE-2020-10082: gitlab - GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnera... GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnerability impacting the designs for public issues was discovered. Scope: local sid: resolved

CVE-2020-13291 [HIGH] CVE-2020-13291: gitlab - In GitLab before 13.2.3, project sharing could temporarily allow too permissive ... In GitLab before 13.2.3, project sharing could temporarily allow too permissive access. Scope: local sid: resolved

CVE-2020-13337 [HIGH] CVE-2020-13337: gitlab - An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12... An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name. Scope: local sid: resolved

CVE-2020-13288 [MEDIUM] CVE-2020-13288: gitlab - In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists ... In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page Scope: local sid: resolved

CVE-2020-7971 [MEDIUM] CVE-2020-7971: gitlab - GitLab EE 11.0 and later through 12.7.2 allows XSS. GitLab EE 11.0 and later through 12.7.2 allows XSS. Scope: local sid: resolved

CVE-2020-13350 [LOW] CVE-2020-13350: gitlab - CSRF in runner administration page in all versions of GitLab CE/EE allows an att... CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, =13.4.0, <13.4.5,<13.3.9. Scope: local sid: resolved (fixed in 13.3.9-1)

CVE-2020-13282 [LOW] CVE-2020-13282: gitlab - For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members... For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access. Scope: local sid: resolved (fixed in 13.2.3-2)

CVE-2020-26406 [MEDIUM] CVE-2020-26406: gitlab - Certain SAST CiConfiguration information could be viewed by unauthorized users i... Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, =13.4, =13.5, <13.5.2. Scope: local sid: resolved

CVE-2020-13306 [LOW] CVE-2020-13306: gitlab - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.... A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Webhook feature could be abused to perform denial of service attacks due to the lack of rate limitation. Scope: local sid: resolved (fixed in 13.2.8-1)

CVE-2019-12443 [CRITICAL] CVE-2019-12443: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 10.2 through ... An issue was discovered in GitLab Community and Enterprise Edition 10.2 through 11.11. Multiple features contained Server-Side Request Forgery (SSRF) vulnerabilities caused by an insufficient validation to prevent DNS rebinding attacks. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-9890 [CRITICAL] CVE-2019-9890: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x... An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions. Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-12428 [CRITICAL] CVE-2019-12428: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 1... An issue was discovered in GitLab Community and Enterprise Edition 6.8 through 11.11. Users could bypass the mandatory external authentication provider sign-in restrictions by sending a specially crafted request. It has Improper Authorization. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-9218 [CRITICAL] CVE-2019-9218: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 1 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-5464 [CRITICAL] CVE-2019-5464: gitlab - A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and ... A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15585 [CRITICAL] CVE-2019-15585: gitlab - Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab C... Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-5883 [CRITICAL] CVE-2019-5883: gitlab - An Incorrect Access Control issue was discovered in GitLab Community and Enterpr... An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 6.0 and later but before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. The issue comments feature could allow a user to comment on an issue which they shouldn't be allowed to. Scope: local sid: resolved (fixed in 11.3.11+dfsg-1)

CVE-2019-9217 [CRITICAL] CVE-2019-9217: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. Its User Interface has a Misrepresentation of Critical Information. Scope: local sid: resolved (fixed in 11.8.2-2)