Debian Gitlab vulnerabilities

CVE-2019-15731 [MEDIUM] CVE-2019-15731: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 12.0 through ... An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so. Scope: local sid: resolved

CVE-2019-19263 [MEDIUM] CVE-2019-19263: gitlab - GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissio... GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure Permissions. Scope: local sid: resolved

CVE-2019-10117 [MEDIUM] CVE-2019-10117: gitlab - An Open Redirect issue was discovered in GitLab Community and Enterprise Edition... An Open Redirect issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. A redirect is triggered after successful authentication within the Oauth/:GeoAuthController for the secondary Geo node. Scope: local sid: resolved

CVE-2019-10114 [HIGH] CVE-2019-10114: gitlab - An Information Exposure issue (issue 2 of 2) was discovered in GitLab Community ... An Information Exposure issue (issue 2 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data. Scope: local sid: resolved

CVE-2019-5471 [MEDIUM] CVE-2019-5471: gitlab - An input validation and output encoding issue was discovered in the GitLab email... An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and 11.11.6. Scope: local sid: resolved

CVE-2019-15724 [MEDIUM] CVE-2019-15724: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.10 through... An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.2.1. Label descriptions are vulnerable to HTML injection. Scope: local sid: resolved

CVE-2019-10112 [HIGH] CVE-2019-10112: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8... An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The construction of the HMAC key was insecurely derived. Scope: local sid: resolved

CVE-2019-5487 [MEDIUM] CVE-2019-5487: gitlab - An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7,... An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits. Scope: local sid: resolved

CVE-2019-19261 [HIGH] CVE-2019-19261: gitlab - GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF. GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF. Scope: local sid: resolved

CVE-2019-5473 [HIGH] CVE-2019-5473: gitlab - An authentication issue was discovered in GitLab that allowed a bypass of email ... An authentication issue was discovered in GitLab that allowed a bypass of email verification. This was addressed in GitLab 12.1.2 and 12.0.4. Scope: local sid: resolved

CVE-2019-15594 [MEDIUM] CVE-2019-15594: gitlab - GitLab 11.8 and later contains a security vulnerability that allows a user to ob... GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint. Scope: local sid: resolved

CVE-2019-5467 [MEDIUM] CVE-2019-5467: gitlab - An input validation and output encoding issue was discovered in the GitLab CE/EE... An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6. Scope: local sid: resolved

CVE-2019-19314 [HIGH] CVE-2019-19314: gitlab - GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintex... GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext. Scope: local sid: resolved

CVE-2019-18456 [MEDIUM] CVE-2019-18456: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 8.17 through ... An issue was discovered in GitLab Community and Enterprise Edition 8.17 through 12.4 in the Search feature provided by Elasticsearch integration.. It has Insecure Permissions (issue 1 of 4). Scope: local sid: resolved

CVE-2019-13002 [MEDIUM] CVE-2019-13002: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.10 through... An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access Control. Scope: local sid: resolved

CVE-2019-7353 [CRITICAL] CVE-2019-7353: gitlab - An Incorrect Access Control issue was discovered in GitLab Community and Enterpr... An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 11.7.x before 11.7.4. GitLab Releases were vulnerable to an authorization issue that allowed users to view confidential issue and merge request titles of other projects. Scope: local sid: resolved

CVE-2019-9219 [LOW] CVE-2019-9219: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.6.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5). Scope: local sid: resolved (fixed in 11.8.2-2)

CVE-2019-12429 [MEDIUM] CVE-2019-12429: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.9 through ... An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. It has Improper Access Control. Scope: local sid: resolved

CVE-2019-19309 [MEDIUM] CVE-2019-19309: gitlab - GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access ... GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorrect Access Control. Scope: local sid: resolved

CVE-2019-20143 [MEDIUM] CVE-2019-20143: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ... An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.6. It has Incorrect Access Control. Scope: local sid: resolved