Debian Gitlab vulnerabilities

CVE-2019-15739 [MEDIUM] CVE-2019-15739: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 1... An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1. Certain areas displaying Markdown were not properly sanitizing some XSS payloads. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-11547 [MEDIUM] CVE-2019-11547: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9... An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. It has Improper Encoding or Escaping of Output. The branch name on new merge request notification emails isn't escaped, which could potentially lead to XSS issues. Scope: local sid: resolved (fixed in 11.8.9+dfsg-1)

CVE-2019-5466 [MEDIUM] CVE-2019-5466: gitlab - An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge req... An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-6995 [MEDIUM] CVE-2019-6995: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.... An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users are able to comment on locked project issues. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-6785 [MEDIUM] CVE-2019-6785: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It allows Denial of Service. Inputting an overly long string into a Markdown field could cause a denial of service. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-9172 [MEDIUM] CVE-2019-9172: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 2 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-18458 [LOW] CVE-2019-18458: gitlab - An issue was discovered in GitLab Community and Enterprise Edition through 12.4.... An issue was discovered in GitLab Community and Enterprise Edition through 12.4. It has Insecure Permissions (issue 2 of 4). Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-19629 [HIGH] CVE-2019-19629: gitlab - In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public... In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferring a public project to a private group, private code would be disclosed via the Group Search API provided by the Elasticsearch integration. Scope: local sid: resolved

CVE-2019-13007 [MEDIUM] CVE-2019-13007: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.11 through... An issue was discovered in GitLab Community and Enterprise Edition 11.11 through 12.0.2. When an admin enabled one of the service templates, it was triggering an action that leads to resource depletion. It allows Uncontrolled Resource Consumption. Scope: local sid: resolved

CVE-2019-19628 [CRITICAL] CVE-2019-19628: gitlab - In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter san... In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions. Scope: local sid: resolved

CVE-2019-6797 [HIGH] CVE-2019-6797: gitlab - An information disclosure issue was discovered in GitLab Enterprise Edition befo... An information disclosure issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The GitHub token used in CI/CD for External Repos was being leaked to project maintainers in the UI. Scope: local sid: resolved

CVE-2019-15725 [HIGH] CVE-2019-15725: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 12.0 through ... An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information. Scope: local sid: resolved

CVE-2019-11545 [MEDIUM] CVE-2019-11545: gitlab - An issue was discovered in GitLab Community Edition 11.9.x before 11.9.10 and 11... An issue was discovered in GitLab Community Edition 11.9.x before 11.9.10 and 11.10.x before 11.10.2. It allows Information Disclosure. When an issue is moved to a private project, the private project namespace is leaked to unauthorized users with access to the original issue. Scope: local sid: resolved

CVE-2019-19259 [MEDIUM] CVE-2019-19259: gitlab - GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Di... GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR). Scope: local sid: resolved

CVE-2019-15723 [MEDIUM] CVE-2019-15723: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11... An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations. Scope: local sid: resolved

CVE-2019-19310 [MEDIUM] CVE-2019-19310: gitlab - GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Dis... GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure. Scope: local sid: resolved

CVE-2019-19087 [MEDIUM] CVE-2019-19087: gitlab - Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 o... Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 2 of 2). Scope: local sid: resolved

CVE-2019-10108 [MEDIUM] CVE-2019-10108: gitlab - An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community an... An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allowed non-members of a private project/group to add and read labels. Scope: local sid: resolved

CVE-2019-12430 [HIGH] CVE-2019-12430: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.11. A spec... An issue was discovered in GitLab Community and Enterprise Edition 11.11. A specially crafted payload would allow an authenticated malicious user to execute commands remotely through the repository download feature. It allows Command Injection. Scope: local sid: resolved

CVE-2019-15732 [MEDIUM] CVE-2019-15732: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 12.2 through ... An issue was discovered in GitLab Community and Enterprise Edition 12.2 through 12.2.1. The project import API could be used to bypass project visibility restrictions. Scope: local sid: resolved