FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Gitlab -- Multiple Vulnerabilities

Affected packages
14.6.0 <= gitlab-ce < 14.6.2
14.5.0 <= gitlab-ce < 14.5.3
7.7 <= gitlab-ce < 14.4.5

Details

VuXML ID 43f84437-73ab-11ec-a587-001b217b3468
Discovery 2022-01-11
Entry 2022-01-12

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port

References

CVE Name CVE-2021-39927
CVE Name CVE-2021-39942
CVE Name CVE-2021-39946
CVE Name CVE-2022-0090
CVE Name CVE-2022-0093
CVE Name CVE-2022-0124
CVE Name CVE-2022-0125
CVE Name CVE-2022-0151
CVE Name CVE-2022-0152
CVE Name CVE-2022-0154
CVE Name CVE-2022-0172
URL https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/