Debian Gitlab vulnerabilities

CVE-2019-13010 [MEDIUM] CVE-2019-13010: gitlab - An issue was discovered in GitLab Enterprise Edition 8.3 through 12.0.2. The col... An issue was discovered in GitLab Enterprise Edition 8.3 through 12.0.2. The color codes decoder was vulnerable to a resource depletion attack if specific formats were used. It allows Uncontrolled Resource Consumption. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18454 [MEDIUM] CVE-2019-18454: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 10.5 through ... An issue was discovered in GitLab Community and Enterprise Edition 10.5 through 12.4 in link validation for RDoc wiki pages feature. It has XSS. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-11548 [MEDIUM] CVE-2019-11548: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9... An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint. Scope: local sid: resolved (fixed in 11.8.9+dfsg-1)

CVE-2019-12433 [MEDIUM] CVE-2019-12433: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.7 through ... An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-5469 [MEDIUM] CVE-2019-5469: gitlab - An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that al... An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-11549 [MEDIUM] CVE-2019-11549: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, an... An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. Gitaly has allows an information disclosure issue where HTTP/GIT credentials are included in logs on connection errors. Scope: local sid: resolved (fixed in 11.8.9+dfsg-1)

CVE-2019-6786 [MEDIUM] CVE-2019-6786: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 1 of 3). The contents of an LFS object can be accessed by an unauthorized user, if the file size and OID are known. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-6787 [MEDIUM] CVE-2019-6787: gitlab - An Incorrect Access Control issue was discovered in GitLab Community and Enterpr... An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The GitLab API allowed project Maintainers and Owners to view the trigger tokens of other project users. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-10110 [MEDIUM] CVE-2019-10110: gitlab - An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community ... An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The "move issue" feature may allow a user to create projects under any namespace on any GitLab instance on which they hold credentials. Scope: local sid: resolved (fixed in 11.8.6+dfsg-1)

CVE-2019-11544 [MEDIUM] CVE-2019-11544: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.... An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It allows Information Disclosure. Non-member users who subscribe to notifications of an internal project with issue and repository restrictions will receive emails about restricted events. Scope: local sid: re

CVE-2019-19257 [MEDIUM] CVE-2019-19257: gitlab - GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incor... GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2). Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-6997 [MEDIUM] CVE-2019-6997: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 10.x (startin... An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting in 10.7) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. System notes contain an access control issue that permits a guest user to view merge request titles. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-5463 [MEDIUM] CVE-2019-5463: gitlab - An authorization issue was discovered in the GitLab CE/EE CI badge images endpoi... An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-11546 [MEDIUM] CVE-2019-11546: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9... An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has a Race Condition which could allow users to approve a merge request multiple times and potentially reach the approval count required to merge. Scope: local sid: resolved (fixed in 11.8.9+dfsg-1)

CVE-2019-15727 [MEDIUM] CVE-2019-15727: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.2 through ... An issue was discovered in GitLab Community and Enterprise Edition 11.2 through 12.2.1. Insufficient permission checks were being applied when displaying CI results, potentially exposing some CI metrics data to unauthorized users. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15578 [MEDIUM] CVE-2019-15578: gitlab - An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab... An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-13009 [MEDIUM] CVE-2019-13009: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 9.2 through 1... An issue was discovered in GitLab Community and Enterprise Edition 9.2 through 12.0.2. Uploaded files associated with unsaved personal snippets were accessible to unauthorized users due to improper permission settings. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-13011 [MEDIUM] CVE-2019-13011: gitlab - An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12.0.2. By u... An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12.0.2. By using brute-force a user with access to a project, but not it's repository could create a list of merge requests template names. It has excessive algorithmic complexity. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18461 [MEDIUM] CVE-2019-18461: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.3 through ... An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.3 when a sub group epic is added to a public group. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-20145 [MEDIUM] CVE-2019-20145: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ... An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)