Debian Gitlab vulnerabilities

CVE-2019-6791 [MEDIUM] CVE-2019-6791: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-14944 [MEDIUM] CVE-2019-14944: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.11.... An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18451 [MEDIUM] CVE-2019-18451: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 throug... An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-10109 [MEDIUM] CVE-2019-10109: gitlab - An Information Exposure issue (issue 1 of 2) was discovered in GitLab Community ... An Information Exposure issue (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. EXIF geolocation data were not removed from images when uploaded to GitLab. As a result, anyone with access to the uploaded image could obtain its geolocation, device, and software version data (if pre

CVE-2019-18452 [MEDIUM] CVE-2019-18452: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.3 through ... An issue was discovered in GitLab Community and Enterprise Edition 11.3 through 12.4 when moving an issue to a public project from a private one. It has Insecure Permissions. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-9221 [MEDIUM] CVE-2019-9221: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 3 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-10116 [MEDIUM] CVE-2019-10116: gitlab - An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community ... An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. Guests of a project were allowed to see Related Branches created for an issue. Scope: local sid: resolved (fixed in 11.8.6+dfsg-1)

CVE-2019-18449 [MEDIUM] CVE-2019-18449: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 12.4 i... An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the autocomplete feature. It has Insecure Permissions (issue 2 of 2). Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-5465 [MEDIUM] CVE-2019-5465: gitlab - An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, b... An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-19260 [MEDIUM] CVE-2019-19260: gitlab - GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incor... GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2). Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-15721 [MEDIUM] CVE-2019-15721: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 10.8 through ... An issue was discovered in GitLab Community and Enterprise Edition 10.8 through 12.2.1. An internal endpoint unintentionally allowed group maintainers to view and edit group runner settings. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-6784 [MEDIUM] CVE-2019-6784: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows XSS (issue 1 of 2). Markdown fields contain a lack of input validation and output encoding when processing KaTeX that results in a persistent XSS. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-6794 [MEDIUM] CVE-2019-6794: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Information Disclosure (issue 5 of 6). A project guest user can view the last commit status of the default branch. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-10115 [MEDIUM] CVE-2019-10115: gitlab - An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community ... An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The GitLab Releases feature could allow guest users access to private information like release details and code information. Scope: local sid: resolved (fixed in 11.8.6+dfsg-1)

CVE-2019-18450 [MEDIUM] CVE-2019-18450: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 12.4 i... An issue was discovered in GitLab Community and Enterprise Edition before 12.4 in the Project labels feature. It has Insecure Permissions. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18448 [MEDIUM] CVE-2019-18448: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 12.4. ... An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-20146 [MEDIUM] CVE-2019-20146: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ... An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource Consumption. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-18459 [MEDIUM] CVE-2019-18459: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 ... An issue was discovered in GitLab Community and Enterprise Edition 11.3 to 12.3 in the protected environments feature. It has Insecure Permissions (issue 3 of 4). Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-7155 [MEDIUM] CVE-2019-7155: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, an... An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. A user retains their role within a project in a private group after being removed from the group, if their privileges within the project are different from the group. Scope: local sid: r

CVE-2019-9170 [MEDIUM] CVE-2019-9170: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 11.8.2-2)