FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- multiple vulnerabilities

Affected packages
14.7.0 <= gitlab-ce < 14.7.1
14.6.0 <= gitlab-ce < 14.6.4
0 <= gitlab-ce < 14.5.4

Details

VuXML ID 3507bfb3-85d5-11ec-8c9c-001b217b3468
Discovery 2022-02-03
Entry 2022-02-04

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected

References

CVE Name CVE-2021-39931
CVE Name CVE-2021-39943
CVE Name CVE-2022-0123
CVE Name CVE-2022-0136
CVE Name CVE-2022-0167
CVE Name CVE-2022-0249
CVE Name CVE-2022-0283
CVE Name CVE-2022-0344
CVE Name CVE-2022-0371
CVE Name CVE-2022-0373
CVE Name CVE-2022-0390
CVE Name CVE-2022-0425
CVE Name CVE-2022-0427
CVE Name CVE-2022-0477
CVE Name CVE-2022-0488
URL https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/