Debian Gitlab vulnerabilities

CVE-2019-6793 [HIGH] CVE-2019-6793: gitlab - An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x befor... An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The Jira integration feature is vulnerable to an unauthenticated blind SSRF issue. Scope: local sid: resolved

CVE-2019-5474 [MEDIUM] CVE-2019-5474: gitlab - An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.... An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions. Scope: local sid: resolved

CVE-2019-13005 [MEDIUM] CVE-2019-13005: gitlab - An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 ... An issue was discovered in GitLab Enterprise Edition and Community Edition 1.10 through 12.0.2. The GitLab graphql service was vulnerable to multiple authorization issues that disclosed restricted user, group, and repository metadata to unauthorized users. It has Incorrect Access Control. Scope: local sid: resolved

CVE-2019-19088 [CRITICAL] CVE-2019-19088: gitlab - Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal. Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Traversal. Scope: local sid: resolved

CVE-2019-19256 [MEDIUM] CVE-2019-19256: gitlab - GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access ... GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control. Scope: local sid: resolved

CVE-2019-5472 [HIGH] CVE-2019-5472: gitlab - An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and... An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments. Scope: local sid: resolved

CVE-2019-5461 [LOW] CVE-2019-5461: gitlab - An input validation problem was discovered in the GitHub service integration whi... An input validation problem was discovered in the GitHub service integration which could result in an attacker being able to make arbitrary POST requests in a GitLab instance's internal network. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6. Scope: local sid: resolved (fixed in 12.6.8-3)

CVE-2019-19086 [MEDIUM] CVE-2019-19086: gitlab - Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 o... Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions (issue 1 of 2). Scope: local sid: resolved

CVE-2018-14364 [CRITICAL] CVE-2018-14364: gitlab - GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and... GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component. Scope: local sid: resolved (fixed in 10.7.7+dfsg-2)

CVE-2018-17452 [CRITICAL] CVE-2018-17452: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7... An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Server-Side Request Forgery (SSRF) via a loopback address to the validate_localhost function in url_blocker.rb. Scope: local sid: resolved (fixed in 11.1.8+dfsg-2)

CVE-2018-8971 [CRITICAL] CVE-2018-8971: gitlab - The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x ... The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, and 10.5.x before 10.5.6 has an incorrect omniauth-auth0 configuration, leading to signing in unintended users. Scope: local sid: resolved (fixed in 10.5.6+dfsg-1)

CVE-2018-18641 [CRITICAL] CVE-2018-18641: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7... An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Cleartext Storage of Sensitive Information. Scope: local sid: resolved (fixed in 11.2.8+dfsg-2)

CVE-2018-16049 [CRITICAL] CVE-2018-16049: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6... An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Sensitive Data Disclosure in Sidekiq Logs through an Error Message. Scope: local sid: resolved (fixed in 11.1.8+dfsg-2)

CVE-2018-20499 [HIGH] CVE-2018-20499: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.x b... An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. Scope: local sid: resolved (fixed in 11.5.6+dfsg-1)

CVE-2018-14603 [HIGH] CVE-2018-14603: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7... An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. CSRF can occur in the Test feature of the System Hooks component. Scope: local sid: resolved (fixed in 10.8.7+dfsg-1)

CVE-2018-19569 [HIGH] CVE-2018-19569: gitlab - GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11... GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a user using a Personal Access Token of any scope. Scope: local sid: resolved (fixed in 11.3.11+dfsg-1)

CVE-2018-20144 [HIGH] CVE-2018-20144: gitlab - GitLab Community and Enterprise Edition 11.x before 11.3.13, 11.4.x before 11.4.... GitLab Community and Enterprise Edition 11.x before 11.3.13, 11.4.x before 11.4.11, and 11.5.x before 11.5.4 has Incorrect Access Control. Scope: local sid: resolved (fixed in 11.5.4+dfsg-1)

CVE-2018-14602 [HIGH] CVE-2018-14602: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7... An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. Information Disclosure can occur because the Prometheus metrics feature discloses private project pathnames. Scope: local sid: resolved (fixed in 10.8.7+dfsg-1)

CVE-2018-19576 [HIGH] CVE-2018-19576: gitlab - GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11... GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential. Scope: local sid: resolved (fixed in 11.3.11+dfsg-1)

CVE-2018-17451 [HIGH] CVE-2018-17451: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7... An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is Cross Site Request Forgery (CSRF) in the Slack integration for issuing slash commands. Scope: local sid: resolved (fixed in 11.1.8+dfsg-2)