Debian Gitlab vulnerabilities

CVE-2019-19258 [MEDIUM] CVE-2019-19258: gitlab - GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access ... GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control. Scope: local sid: resolved

CVE-2019-19311 [MEDIUM] CVE-2019-19311: gitlab - GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile ... GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group and profile fields. Scope: local sid: resolved

CVE-2019-9179 [LOW] CVE-2019-9179: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 5 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-15738 [MEDIUM] CVE-2019-15738: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 12.0 through ... An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Under certain conditions, merge request IDs were being disclosed via email. Scope: local sid: resolved

CVE-2019-13001 [MEDIUM] CVE-2019-13001: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.9 and late... An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. It allows authentication bypass. Scope: local sid: resolved

CVE-2019-11000 [MEDIUM] CVE-2019-11000: gitlab - An issue was discovered in GitLab Enterprise Edition before 11.7.11, 11.8.x befo... An issue was discovered in GitLab Enterprise Edition before 11.7.11, 11.8.x before 11.8.7, and 11.9.x before 11.9.7. It allows Information Disclosure. Scope: local sid: resolved

CVE-2019-19262 [MEDIUM] CVE-2019-19262: gitlab - GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissi... GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions. Scope: local sid: resolved

CVE-2019-12825 [MEDIUM] CVE-2019-12825: gitlab - Unauthorized Access to the Container Registry of other groups was discovered in ... Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to

CVE-2019-13004 [MEDIUM] CVE-2019-13004: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.10 through... An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. When specific encoded characters were added to comments, the comments section would become inaccessible. It has Incorrect Access Control (issue 1 of 2). Scope: local sid: resolved

CVE-2019-15590 [HIGH] CVE-2019-15590: gitlab - An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab C... An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration Scope: local sid: resolved

CVE-2019-19255 [MEDIUM] CVE-2019-19255: gitlab - GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access ... GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access Control. Scope: local sid: resolved

CVE-2019-6996 [MEDIUM] CVE-2019-6996: gitlab - An issue was discovered in GitLab Enterprise Edition 10.x (starting in 10.6) and... An issue was discovered in GitLab Enterprise Edition 10.x (starting in 10.6) and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. The merge request approvers section has an access control issue that permits project maintainers to view membership of private groups. Scope: local sid: resolved

CVE-2019-9171 [LOW] CVE-2019-9171: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 1 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-19312 [MEDIUM] CVE-2019-19312: gitlab - GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. Af... GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API. Scope: local sid: resolved

CVE-2019-15580 [MEDIUM] CVE-2019-15580: gitlab - An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, a... An information exposure vulnerability exists in gitlab.com <v12.3.2, <v12.2.6, and <v12.1.10 when using the blocking merge request feature, it was possible for an unauthenticated user to see the head pipeline data of a public project even though pipeline visibility was restricted. Scope: local sid: resolved

CVE-2019-15586 [MEDIUM] CVE-2019-15586: gitlab - A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin. A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin. Scope: local sid: resolved

CVE-2019-7176 [LOW] CVE-2019-7176: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting... An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect Access Control. Guest users are able to add reaction emojis on comments to which they have no visibility. Scope: local sid: resolved (fixed in 11.5.10+dfsg-1)

CVE-2019-19313 [HIGH] CVE-2019-19313: gitlab - GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certai... GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Service. Certain characters were making it impossible to create, edit, or view issues and commits. Scope: local sid: resolved

CVE-2019-20142 [MEDIUM] CVE-2019-20142: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ... An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of Service. Scope: local sid: resolved

CVE-2019-14943 [CRITICAL] CVE-2019-14943: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 12.0 through ... An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials. Scope: local sid: resolved