git: f6dcf158f22b - main - security/vuxml: document gitlab vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 05 Nov 2022 06:05:10 UTC
The branch main has been updated by mfechner:
URL: https://cgit.FreeBSD.org/ports/commit/?id=f6dcf158f22be6b25344b4aceb4ec7371fe423a8
commit f6dcf158f22be6b25344b4aceb4ec7371fe423a8
Author: Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2022-11-05 06:04:29 +0000
Commit: Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2022-11-05 06:05:05 +0000
security/vuxml: document gitlab vulnerabilities
---
security/vuxml/vuln-2022.xml | 53 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 91b1b98985e0..cca88bd9082c 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,56 @@
+ <vuln vid="16f7ec68-5cce-11ed-9be7-454b1dd82c64">
+ <topic>Gitlab -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab-ce</name>
+ <range><ge>15.5.0</ge><lt>15.5.2</lt></range>
+ <range><ge>15.4.0</ge><lt>15.4.4</lt></range>
+ <range><ge>9.3.0</ge><lt>15.3.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gitlab reports:</p>
+ <blockquote cite="https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/">
+ <p>DAST analyzer sends custom request headers with every request</p>
+ <p>Stored-XSS with CSP-bypass via scoped labels' color</p>
+ <p>Maintainer can leak Datadog API key by changing integration URL</p>
+ <p>Uncontrolled resource consumption when parsing URLs</p>
+ <p>Issue HTTP requests when users view an OpenAPI document and click buttons</p>
+ <p>Command injection in CI jobs via branch name in CI pipelines</p>
+ <p>Open redirection</p>
+ <p>Prefill variables do not check permission of the project in external CI config</p>
+ <p>Disclosure of audit events to insufficiently permissioned group and project members</p>
+ <p>Arbitrary GFM references rendered in Jira issue description leak private/confidential resources</p>
+ <p>Award emojis API for an internal note is accessible to users without access to the note</p>
+ <p>Open redirect in pipeline artifacts when generating HTML documents</p>
+ <p>Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines</p>
+ <p>Project-level Secure Files can be written out of the target directory</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2022-3767</cvename>
+ <cvename>CVE-2022-3265</cvename>
+ <cvename>CVE-2022-3483</cvename>
+ <cvename>CVE-2022-3818</cvename>
+ <cvename>CVE-2022-3726</cvename>
+ <cvename>CVE-2022-2251</cvename>
+ <cvename>CVE-2022-3486</cvename>
+ <cvename>CVE-2022-3793</cvename>
+ <cvename>CVE-2022-3413</cvename>
+ <cvename>CVE-2022-2761</cvename>
+ <cvename>CVE-2022-3819</cvename>
+ <cvename>CVE-2022-3280</cvename>
+ <cvename>CVE-2022-3706</cvename>
+ <url>https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/</url>
+ </references>
+ <dates>
+ <discovery>2022-11-02</discovery>
+ <entry>2022-11-05</entry>
+ </dates>
+ </vuln>
+
<vuln vid="b278783f-5c1d-11ed-a21f-001fc69cd6dc">
<topic>pixman -- heap overflow</topic>
<affects>