FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Multiple Vulnerabilities

Affected packages
15.6.0 <= gitlab-ce < 15.6.1
15.5.0 <= gitlab-ce < 15.5.5
9.3.0 <= gitlab-ce < 15.4.6

Details

VuXML ID 3cde510a-7135-11ed-a28b-bff032704f00
Discovery 2022-11-30
Entry 2022-12-01

Gitlab reports:

DAST API scanner exposes Authorization headers in vulnerabilities

Group IP allow-list not fully respected by the Package Registry

Deploy keys and tokens may bypass External Authorization service if it is enabled

Repository import still allows to import 40 hexadecimal branches

Webhook secret tokens leaked in webhook logs

Maintainer can leak webhook secret token by changing the webhook URL

Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

Release names visible in public projects despite release set as project members only

Sidekiq background job DoS by uploading malicious NuGet packages

SSRF in Web Terminal advertise_address

References

CVE Name CVE-2022-3478
CVE Name CVE-2022-3482
CVE Name CVE-2022-3572
CVE Name CVE-2022-3740
CVE Name CVE-2022-3820
CVE Name CVE-2022-3902
CVE Name CVE-2022-4054
CVE Name CVE-2022-4201
CVE Name CVE-2022-4205
CVE Name CVE-2022-4206
URL https://about.gitlab.com/releases/2022/11/30/security-release-gitlab-15-6-1-released/