Debian Gitlab vulnerabilities

CVE-2019-20148 [MEDIUM] CVE-2019-20148: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ... An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15593 [MEDIUM] CVE-2019-15593: gitlab - GitLab 12.2.3 contains a security vulnerability that allows a user to affect the... GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-10111 [MEDIUM] CVE-2019-10111: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allows persistent XSS in the merge request "resolve conflicts" page. Scope: local sid: resolved (fixed in 11.8.6+dfsg-1)

CVE-2019-15577 [MEDIUM] CVE-2019-15577: gitlab - An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.... An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-9224 [MEDIUM] CVE-2019-9224: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 4 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-15582 [MEDIUM] CVE-2019-15582: gitlab - An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community... An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18462 [MEDIUM] CVE-2019-18462: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.3 through ... An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4. It has Insecure Permissions. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-6795 [MEDIUM] CVE-2019-6795: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Insufficient Visual Distinction of Homoglyphs Presented to a User. IDN homographs and RTLO characters are rendered to unicode, which could be used for social engineering. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-15740 [MEDIUM] CVE-2019-15740: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 1... An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 12.2.1. EXIF Geolocation data was not being removed from certain image uploads. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-20144 [MEDIUM] CVE-2019-20144: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ... An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-6792 [MEDIUM] CVE-2019-6792: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Path Disclosure. When an error is encountered on project import, the error message will display instance internal information. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-9175 [MEDIUM] CVE-2019-9175: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 3 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-14942 [MEDIUM] CVE-2019-14942: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.11.... An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Cookies for GitLab Pages (which have access control) could be sent over cleartext HTTP. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18463 [MEDIUM] CVE-2019-18463: gitlab - An issue was discovered in GitLab Community and Enterprise Edition through 12.4.... An issue was discovered in GitLab Community and Enterprise Edition through 12.4. It has Insecure Permissions (issue 4 of 4). Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-12442 [MEDIUM] CVE-2019-12442: gitlab - An issue was discovered in GitLab Enterprise Edition 11.7 through 11.11. The epi... An issue was discovered in GitLab Enterprise Edition 11.7 through 11.11. The epic details page contained a lack of input validation and output encoding issue which resulted in a persistent XSS vulnerability on child epics. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-9225 [MEDIUM] CVE-2019-9225: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 5 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-6789 [MEDIUM] CVE-2019-6789: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 4 of 6). In some cases, users without project permissions will receive emails after a project move. For private projects, this will disclose the new project namespace to an unauthorized user. Scope:

CVE-2019-15584 [MEDIUM] CVE-2019-15584: gitlab - A denial of service exists in gitlab <v12.3.2, <v12.2.6, and <v12.1.10 that woul... A denial of service exists in gitlab <v12.3.2, <v12.2.6, and <v12.1.10 that would let an attacker bypass input validation in markdown fields take down the affected page. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18447 [MEDIUM] CVE-2019-18447: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 12.4. ... An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Insecure Permissions. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15737 [MEDIUM] CVE-2019-15737: gitlab - An issue was discovered in GitLab Community and Enterprise Edition through 12.2.... An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Certain account actions needed improved authentication and session management. Scope: local sid: resolved (fixed in 12.6.8-3)