FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Gitlab

Affected packages
14.1.0 <= gitlab-ce < 14.1.2
14.0.0 <= gitlab-ce < 14.0.7
0 <= gitlab-ce < 13.12.9

Details

VuXML ID 1d651770-f4f5-11eb-ba49-001b217b3468
Discovery 2021-08-03
Entry 2021-08-04

Gitlab reports:

Stored XSS in Mermaid when viewing Markdown files

Stored XSS in default branch name

Perform Git actions with an impersonation token even if impersonation is disabled

Tag and branch name confusion allows Developer to access protected CI variables

New subscriptions generate OAuth tokens on an incorrect OAuth client application

Ability to list and delete impersonation tokens for your own user

Pipelines page is partially visible for users that have no right to see CI/CD

Improper email validation on an invite URL

Unauthorised user was able to add meta data upon issue creation

Unauthorized user can trigger deployment to a protected environment

Guest in private project can see CI/CD Analytics

Guest users can create issues for Sentry errors and track their status

Private user email disclosure via group invitation

Projects are allowed to add members with email address domain that should be blocked by group settings

Misleading username could lead to impersonation in using SSH Certificates

Unauthorized user is able to access and view project vulnerability reports

Denial of service in repository caused by malformed commit author

References

CVE Name CVE-2021-22236
CVE Name CVE-2021-22237
CVE Name CVE-2021-22239
URL https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/