git: 714b88f8c46c - main - security/vuxml: Document gitlab vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 30 Oct 2021 08:33:33 UTC
The branch main has been updated by mfechner: URL: https://cgit.FreeBSD.org/ports/commit/?id=714b88f8c46cd19240c35db843ebd9960c103b83 commit 714b88f8c46cd19240c35db843ebd9960c103b83 Author: Matthias Fechner <mfechner@FreeBSD.org> AuthorDate: 2021-10-30 08:15:29 +0000 Commit: Matthias Fechner <mfechner@FreeBSD.org> CommitDate: 2021-10-30 08:33:11 +0000 security/vuxml: Document gitlab vulnerabilities --- security/vuxml/vuln-2021.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 59cf97125ed7..b6e8d83c08ad 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,60 @@ + <vuln vid="33557582-3958-11ec-90ba-001b217b3468"> + <topic>Gitlab -- Multiple Vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <range><ge>14.4.0</ge><lt>14.4.1</lt></range> + <range><ge>14.3.0</ge><lt>14.3.4</lt></range> + <range><ge>0</ge><lt>14.2.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2021/10/28/security-release-gitlab-14-4-1-released/"> + <p>Stored XSS via ipynb files</p> + <p>Pipeline schedules on imported projects can be set to automatically active after import</p> + <p>Potential Denial of service via Workhorse</p> + <p>Improper Access Control allows Merge Request creator to bypass locked status</p> + <p>Projects API discloses ID and name of private groups</p> + <p>Severity of an incident can be changed by a guest user</p> + <p>System root password accidentally written to log file</p> + <p>Potential DoS via a malformed TIFF image</p> + <p>Bypass of CODEOWNERS Merge Request approval requirement</p> + <p>Change project visibility to a restricted option</p> + <p>Project exports leak external webhook token value</p> + <p>SCIM token is visible after creation</p> + <p>Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered</p> + <p>Regular expression denial of service issue when cleaning namespace path</p> + <p>Prevent creation of scopeless apps using applications API</p> + <p>Webhook data exposes assignee's private email address</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-39906</cvename> + <cvename>CVE-2021-39895</cvename> + <cvename>CVE-2021-39907</cvename> + <cvename>CVE-2021-39904</cvename> + <cvename>CVE-2021-39905</cvename> + <cvename>CVE-2021-39902</cvename> + <cvename>CVE-2021-39913</cvename> + <cvename>CVE-2021-39912</cvename> + <cvename>CVE-2021-39909</cvename> + <cvename>CVE-2021-39903</cvename> + <cvename>CVE-2021-39898</cvename> + <cvename>CVE-2021-39901</cvename> + <cvename>CVE-2021-39897</cvename> + <cvename>CVE-2021-39914</cvename> + <cvename>CVE-2021-39911</cvename> + <url>https://about.gitlab.com/releases/2021/10/28/security-release-gitlab-14-4-1-released/</url> + </references> + <dates> + <discovery>2021-10-28</discovery> + <entry>2021-10-30</entry> + </dates> + </vuln> + <vuln vid="976d7bf9-38ea-11ec-b3b0-3065ec8fd3ec"> <topic>chromium -- multiple vulnerabilities</topic> <affects>