git: f6dcf158f22b - main - security/vuxml: document gitlab vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 05 Nov 2022 06:05:10 UTC
The branch main has been updated by mfechner: URL: https://cgit.FreeBSD.org/ports/commit/?id=f6dcf158f22be6b25344b4aceb4ec7371fe423a8 commit f6dcf158f22be6b25344b4aceb4ec7371fe423a8 Author: Matthias Fechner <mfechner@FreeBSD.org> AuthorDate: 2022-11-05 06:04:29 +0000 Commit: Matthias Fechner <mfechner@FreeBSD.org> CommitDate: 2022-11-05 06:05:05 +0000 security/vuxml: document gitlab vulnerabilities --- security/vuxml/vuln-2022.xml | 53 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 91b1b98985e0..cca88bd9082c 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,56 @@ + <vuln vid="16f7ec68-5cce-11ed-9be7-454b1dd82c64"> + <topic>Gitlab -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <range><ge>15.5.0</ge><lt>15.5.2</lt></range> + <range><ge>15.4.0</ge><lt>15.4.4</lt></range> + <range><ge>9.3.0</ge><lt>15.3.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/"> + <p>DAST analyzer sends custom request headers with every request</p> + <p>Stored-XSS with CSP-bypass via scoped labels' color</p> + <p>Maintainer can leak Datadog API key by changing integration URL</p> + <p>Uncontrolled resource consumption when parsing URLs</p> + <p>Issue HTTP requests when users view an OpenAPI document and click buttons</p> + <p>Command injection in CI jobs via branch name in CI pipelines</p> + <p>Open redirection</p> + <p>Prefill variables do not check permission of the project in external CI config</p> + <p>Disclosure of audit events to insufficiently permissioned group and project members</p> + <p>Arbitrary GFM references rendered in Jira issue description leak private/confidential resources</p> + <p>Award emojis API for an internal note is accessible to users without access to the note</p> + <p>Open redirect in pipeline artifacts when generating HTML documents</p> + <p>Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines</p> + <p>Project-level Secure Files can be written out of the target directory</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-3767</cvename> + <cvename>CVE-2022-3265</cvename> + <cvename>CVE-2022-3483</cvename> + <cvename>CVE-2022-3818</cvename> + <cvename>CVE-2022-3726</cvename> + <cvename>CVE-2022-2251</cvename> + <cvename>CVE-2022-3486</cvename> + <cvename>CVE-2022-3793</cvename> + <cvename>CVE-2022-3413</cvename> + <cvename>CVE-2022-2761</cvename> + <cvename>CVE-2022-3819</cvename> + <cvename>CVE-2022-3280</cvename> + <cvename>CVE-2022-3706</cvename> + <url>https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/</url> + </references> + <dates> + <discovery>2022-11-02</discovery> + <entry>2022-11-05</entry> + </dates> + </vuln> + <vuln vid="b278783f-5c1d-11ed-a21f-001fc69cd6dc"> <topic>pixman -- heap overflow</topic> <affects>