Debian Gitlab vulnerabilities

CVE-2018-16050 [MEDIUM] CVE-2018-16050: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before... An issue was discovered in GitLab Community and Enterprise Edition 11.1.x before 11.1.5 and 11.2.x before 11.2.2. There is Persistent XSS in the Merge Request Changes View. Scope: local sid: resolved (fixed in 11.1.8+dfsg-2)

CVE-2018-20492 [MEDIUM] CVE-2018-20492: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.4.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control (issue 2 of 6). Scope: local sid: resolved (fixed in 11.5.6+dfsg-1)

CVE-2018-17454 [MEDIUM] CVE-2018-17454: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7... An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the issue details screen. Scope: local sid: resolved (fixed in 11.1.8+dfsg-2)

CVE-2018-20488 [MEDIUM] CVE-2018-20488: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.4.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure. Scope: local sid: resolved (fixed in 11.5.6+dfsg-1)

CVE-2018-17975 [MEDIUM] CVE-2018-17975: gitlab - An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x b... An issue was discovered in GitLab Community Edition 11.x before 11.1.8, 11.2.x before 11.2.5, and 11.3.x before 11.3.2. There is Information Exposure via the GFM markdown API. Scope: local sid: resolved (fixed in 11.1.8+dfsg-2)

CVE-2018-14606 [MEDIUM] CVE-2018-14606: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7... An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur via a Milestone name during a promotion. Scope: local sid: resolved (fixed in 10.8.7+dfsg-1)

CVE-2018-20490 [MEDIUM] CVE-2018-20490: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.2.x throug... An issue was discovered in GitLab Community and Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows XSS. Scope: local sid: resolved (fixed in 11.5.6+dfsg-1)

CVE-2018-10379 [MEDIUM] CVE-2018-10379: gitlab - An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition ... An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2. The Move Issue feature contained a persistent XSS vulnerability. Scope: local sid: resolved (fixed in 10.6.5+dfsg-1)

CVE-2018-19580 [MEDIUM] CVE-2018-19580: gitlab - All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email... All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email to the old email address when an email address change is made. Scope: local sid: resolved (fixed in 11.3.11+dfsg-1)

CVE-2018-9244 [MEDIUM] CVE-2018-9244: gitlab - GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable t... GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable to XSS because a lack of input validation in the milestones component leads to cross site scripting (specifically, data-milestone-id in the milestone dropdown feature). This is fixed in 10.6.3, 10.5.7, and 10.4.7. Scope: local sid: resolved (fixed in 10.6.3+dfsg-1)

CVE-2018-18640 [MEDIUM] CVE-2018-18640: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7... An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Information Exposure Through Browser Caching. Scope: local sid: resolved (fixed in 11.2.8+dfsg-2)

CVE-2018-20501 [MEDIUM] CVE-2018-20501: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.4.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 11.5.6+dfsg-1)

CVE-2018-14604 [MEDIUM] CVE-2018-14604: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7... An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur in the tooltip of the job inside the CI/CD pipeline. Scope: local sid: resolved (fixed in 10.8.7+dfsg-1)

CVE-2018-12606 [MEDIUM] CVE-2018-12606: gitlab - An issue was discovered in GitLab Community Edition and Enterprise Edition befor... An issue was discovered in GitLab Community Edition and Enterprise Edition before 10.7.6, 10.8.x before 10.8.5, and 11.x before 11.0.1. The wiki contains a persistent XSS issue due to a lack of output encoding affecting a specific markdown feature. Scope: local sid: resolved (fixed in 10.7.7+dfsg-2)

CVE-2018-20497 [MEDIUM] CVE-2018-20497: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.4.1... An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. Scope: local sid: resolved (fixed in 11.5.6+dfsg-1)

CVE-2018-8801 [MEDIUM] CVE-2018-8801: gitlab - GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are ... GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component. Scope: local sid: resolved (fixed in 10.5.6+dfsg-1)

CVE-2018-20507 [MEDIUM] CVE-2018-20507: gitlab - An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x befor... An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. Scope: local sid: resolved (fixed in 11.5.6+dfsg-1)

CVE-2018-19493 [MEDIUM] CVE-2018-19493: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.x before 1... An issue was discovered in GitLab Community and Enterprise Edition 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is a persistent XSS vulnerability in the environment pages due to a lack of input validation and output encoding. Scope: local sid: resolved (fixed in 11.3.11+dfsg-1)

CVE-2018-20495 [MEDIUM] CVE-2018-20495: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11... An issue was discovered in GitLab Community and Enterprise Edition 11.3.x and 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows Information Exposure. Scope: local sid: resolved (fixed in 11.5.6+dfsg-1)

CVE-2018-19572 [MEDIUM] CVE-2018-19572: gitlab - GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-ti... GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11. Scope: local sid: resolved (fixed in 11.3.11+dfsg-1)