Debian Gitlab vulnerabilities

CVE-2019-11605 [HIGH] CVE-2019-11605: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.8.x before... An issue was discovered in GitLab Community and Enterprise Edition 11.8.x before 11.8.10, 11.9.x before 11.9.11, and 11.10.x before 11.10.3. It allows Information Disclosure. A small number of GitLab API endpoints would disclose project information when using a read_user scoped token. Scope: local sid: resolved (fixed in 11.8.10+dfsg-1)

CVE-2019-15729 [HIGH] CVE-2019-15729: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.18 through ... An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1. An internal endpoint unintentionally disclosed information about the last pipeline that ran for a merge request. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-10113 [HIGH] CVE-2019-10113: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Making concurrent GET /api/v4/projects//languages requests may allow Uncontrolled Resource Consumption. Scope: local sid: resolved (fixed in 11.8.6+dfsg-1)

CVE-2019-5470 [HIGH] CVE-2019-5470: gitlab - An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.... An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-16170 [HIGH] CVE-2019-16170: gitlab - An issue was discovered in GitLab Enterprise Edition 11.x and 12.x before 12.0.9... An issue was discovered in GitLab Enterprise Edition 11.x and 12.x before 12.0.9, 12.1.x before 12.1.9, and 12.2.x before 12.2.5. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15730 [HIGH] CVE-2019-15730: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.14 through ... An issue was discovered in GitLab Community and Enterprise Edition 8.14 through 12.2.1. The Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack, which would allow sending requests to any resources accessible in the local network by the GitLab server. Scope: local sid: resolved (fixed

CVE-2019-13003 [HIGH] CVE-2019-13003: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 12.0.3... An issue was discovered in GitLab Community and Enterprise Edition before 12.0.3. One of the parsers used by Gilab CI was vulnerable to a resource exhaustion attack. It allows Uncontrolled Resource Consumption. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15736 [HIGH] CVE-2019-15736: gitlab - An issue was discovered in GitLab Community and Enterprise Edition through 12.2.... An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Under certain circumstances, CI pipelines could potentially be used in a denial of service attack. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15576 [HIGH] CVE-2019-15576: gitlab - An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.... An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15575 [HIGH] CVE-2019-15575: gitlab - A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 tha... A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18457 [HIGH] CVE-2019-18457: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.8 through ... An issue was discovered in GitLab Community and Enterprise Edition 11.8 through 12.4 when handling Security tokens.. It has Insecure Permissions. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15589 [HIGH] CVE-2019-15589: gitlab - An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v... An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v12.1.12 which would allow a blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-6788 [HIGH] CVE-2019-6788: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 3 of 6). For installations using GitHub or Bitbucket OAuth integrations, it is possible to use a covert redirect to obtain the user OAuth token for those services. Scope: local sid: resolved (fixed in

CVE-2019-9223 [HIGH] CVE-2019-9223: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure. Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-6781 [HIGH] CVE-2019-6781: gitlab - An Improper Input Validation issue was discovered in GitLab Community and Enterp... An Improper Input Validation issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It was possible to use the profile name to inject a potentially malicious link into notification emails. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-12446 [HIGH] CVE-2019-12446: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.3 through 1... An issue was discovered in GitLab Community and Enterprise Edition 8.3 through 11.11. It allows Information Exposure through an Error Message. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-5486 [HIGH] CVE-2019-5486: gitlab - A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6,... A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-9176 [MEDIUM] CVE-2019-9176: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows CSRF. Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-15734 [MEDIUM] CVE-2019-15734: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 1... An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 12.2.1. Under very specific conditions, commit titles and team member comments could become viewable to users who did not have permission to access these. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18446 [MEDIUM] CVE-2019-18446: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.15 through ... An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2). Scope: local sid: resolved (fixed in 12.6.8-3)